“You know, it may feel like regulators are out to get us, but they’re really there to help us and help protect our customers.”
If you’re into DevOps there’s a pretty good chance at least one book from IT Revolution sits on your shelf. Headed up by Gene Kim, IT Revolution has been publishing instant classics on DevOps culture and practices like The DevOps Handbook, Accelerate (which I absolutely love) and Team Topologies for several years.
And in The Phoenix Project, their bestselling novel, we saw just how bold and creative they can be when it comes to quite literally telling a DevOps story. This fall they return to the world of fiction with Investments Unlimited. And it doesn’t disappoint.
The narrative follows a group of under-pressure technologists and managers who work round the clock to solve an existential crisis at a highly regulated fintech called Investments Unlimited. They’ve been neglecting IT governance in their race to deliver new features. Uh oh! Now the auditor is at their door with a matter requiring immediate attention (MRIA), a final warning before they lose their license to operate. Dun dun dun!
The MRIA creates a crisis, but it’s also a wakeup call for the business as it realizes it must start taking IT governance seriously. They’d made good progress in terms of adopting continuous delivery and DevOps, but somewhere along the way governance, security and risk had gone out the window.
Like many morality tales in technology, dysfunctional cross-disciplinary organization is at the heart of the problem. A tiger team is formed to overcome them through collaboration, technology improvements, and, ultimately, continuous compliance.
The Investments Unlimited team tackle all sorts of real world challenges faced by regulated tech firms: legacy systems, segregation of duties, diffuse “golden path” continuous integration systems, software supply chain problems, system outages - it’s all in there. It also covers neglected and less glamourous aspects of governance, like consolidating the diffusion of systems and media for capturing process requirements into a consistent process.
Most memorably, the book negotiates the “core chronic conflict” at the heart of DevOps where people are incentivized in ways that prevent cooperation to the detriment of organizational goals.
“It’s another core chronic conflict: developers are incentivized to regularly introduce features—the build trap you spoke of—and Security, Risk, and Compliance are incentivized to minimize the likelihood or impact of all known possibilities, which can take time if not done well, creating a problem for the developers’ need to move fast, and so it goes around and around …”
There’s also plenty to chew on when it comes to finding technical solutions demanded by compliance and security in DevOps. The book makes the case for controls, automated evidence gathering, and a way of connecting it all together with your software process.
I’ve worked at the intersection of DevOps, compliance and audit for the last ten years and I think this book is a triumph. For regulated companies, IT Risk, governance, and security are the next frontier for DevOps collaboration and Investments Unlimited explores the territory brilliantly, engaging non-technical stakeholders through expert storytelling. This is THE book to give to management, compliance and change management functions as a primer for DevOps.
I was fortunate to chat with John Willis, one of the authors, at DevOpsDays in Washington DC. There was an open space discussion in the afternoon on the book’s origin and a collaborative writing process that involved nine authors. Nine! Whether it’s IT governance or writing novels, it’s DevOps for the win.