All posts by arunaravichandran

When AI meets DevOps: Getting the best out of both worlds

DevOps has been widely embraced by businesses under pressure to get competitively advantageous digital deliverables to market at the fastest possible cadence—especially given the reality of limited coder headcount and the need to rigorously avoid brand-toxic snafus in the customer experience. Artificial intelligence (AI), in stark contrast, is a potentially transformative digital discipline that is still very new to most enterprise IT organizations.

But while it’s certainly important that CIOs nurture AI adoption with appropriately resourced pilots, it’s also essential to link nascent AI efforts to maturing DevOps concept-to-production pipelines. Here’s why.  

The data science silo

“AI” has become a catch-all term to describe a broad range of algorithm-based disciplines such as machine learning and natural language processing capable of discovering patterns, trends and anomalies in large volumes of diverse data. Given the wealth of data increasingly available to businesses, this AI-based discovery can potentially deliver significant benefits—from anticipating customer needs to identifying emerging market risk.

The algorithms that fuel AI, however, bear little resemblance to classic application code. Code is written by developers to execute actions in some logical sequence. If you want to change those actions, developers have to change the code.

Algorithms, on the other hand, are crafted by data scientists to tease hidden insights out of data. Data scientists may certainly tweak those algorithms over time to enhance the resulting insights—but, to a large extent, well-crafted algorithms inherently respond to change without explicit human intervention.

Due to these unique characteristics and skill-sets, organizations typically initiate their AI efforts in sandboxed pilots where the main challenge is determining which types of algorithm can uncover the insights that are most valuable—which typically also means most actionable.

This experimentation is good and fitting. It’s tough to on-board data science talent, and it’s tough to connect raw technical data science talent to the real-world needs of the business. So we all have a lot of learning to do when it comes to AI.

That learning can’t take remain in a silo forever, though

Escaping the AI island

In an increasingly digital marketplace, actions take place in code. For the insights revealed by our new AI environments to actionably impact businesses, they must be acted on programmatically.

In some cases, this programmatic action may be sending an alert to a customer’s phone. In some cases, it may be changing the price of a SKU. In others, it may be re-prioritizing workflow to internal staff.

Regardless of the specific use-case, there is clearly a need to connect AI insights with application code.

This has several implications when it comes to DevOps. For one thing, developers must be able to code and test calls to AI systems in much the same way as they do to databases and other resources.

For another, ops teams must be able to ensure that the new generation of hybrid AI-application systems reliably perform at required levels even as workloads spike. Such performance SLAs can be particularly challenging given the intensity and volatility of AI processing.

Change management is another key consideration. Developers must preserve the integrity of AI calls, even when they add, delete, or modify other aspects of their applications. And, conversely, when data science staffs modify their AI environments, we must somehow ensure that there aren’t unexpected adverse impacts on end-to-end system behaviours.

Security and compliance are considerations as well. AI ingests and egests a lot of potentially sensitive data. The safety and proper governance of that data in these increasingly complex environments doesn’t just happen. Nor should they be grafted on to systems as an afterthought. That’s another reason AI and security and DevOps—or, as many of us have taken to calling it, DevSecOps—must come together.

Chaperoning the DevOps-AI courtship

Given the imperatives above, CIOs and other digital leaders in the enterprise need to take several steps now to ensure that any future relationship between AI and DevOps will be a cordial and productive one.

Suggested steps include:

  • Begin mapping processes and workflows in your DevSecOps toolchain that will provide the same automation, QA, and auditability of Ai integrations as you’re presently implementing for  APIs, database calls, cloud connectivity, and the like.
  • Ensure that your data governance methods and technologies can be uniformly applied across platforms, environment, and data sources.
  • Get your DevOps and data science people together. Their tools, skills, and cultures may be markedly dissimilar—but ultimately, for your business to win, they will have to collaborate in much the same way as we are driving developers, QA teams, ops staff, security professionals, and business analysts to collaborate.

AI will transform business in the coming years. But it won’t do so by itself. Only in concert with a holistic approach to digital transformation can businesses reap the full potential value of AI.

Learning from the masters of DevSecOps: Getting security right at scale

With the relentless 24/7 nature of the digital economy, many customers I talk to are under pressure to continually release and update their apps. Making this happen is a challenge in itself. But keeping those apps secure can be even more problematic – especially when security is left to the end of the development cycle.

That may seem an unlikely approach in today’s heightened IT security climate. But in my experience, it’s all too common. Under pressure to get their apps out fast, firms often compromise security.

It’s an issue underlined by research on app security, carried out by Freeform Dynamics with executives in large global businesses.

Only 20 percent of them strongly agree that their security testing is up to the demands of continual app development. And only 25 percent strongly agree they have a robust approach to continuously testing for security vulnerabilities.

At the same time, the threats due to mobile and web-based apps continues to grow – 74 percent say security threats due to software/code issues is a growing concern

The era of DevSecOps

So what is the path forward? Given the enormous security threats we now face, organisations must embed security into the very DNA of their software development processes. That means weaving it into every step of the development process: design, coding, release, operation and updating.

Ironically, business leaders know this. Almost all of them (91 percent) agree that making security a more integrated part of software development is a key priority. Some 76 percent believe it’s critical to integrate security practices earlier in the software development lifecycle. 

The evolving process for doing this, DevSecOps, however, it is not as straight-forward to implement as we’d all like.

As the name suggests, DevSecOps means “shifting left” and bringing security into the DevOps fold, so that security testing becomes a natural part of the development process. This puts pressure on an organisation’s people, processes and tools.

That probably explains why only about a third of executives (32 percent) say their IT function is “very effective” at integrating security into the software development cycle early on. And why only 24 percent strongly agree their firm’s culture and practices support the necessary collaboration between development, operations and security.

Most troubling: there may also be a lack of support for implementing DevSecOps at the top. Only 24 percent of respondents strongly agree that senior management understands the importance of not compromising security in favor of speed-to-market. This is truly an alarming statistic, and very surprising in this era of growing security breaches associated with mobile and web-based apps.

Look to the masters

Despite these barriers, the research identified a group of businesses that excel at DevSecOps practices. These ‘Software Security Masters’ represent about 34 percent of the businesses surveyed, globally.

Not only do these firms make security an implicit part of how they work, they take a much broader view of security than their peers. A full 45 percent of the masters strongly agree that security is an enabler of new business opportunities in addition to helping protect a company’s data and systems, versus only 19 percent of their peers in the “mainstream”. As an executive at one such organisation explains: “We work with security early on, so that we’re not architecting in security flaws.”

Not surprisingly, the study found that the masters are also seeing significant business benefits as compared to the mainstream:

  • Accelerated time-to-market: Masters are 2.6x more likely to say their security testing can keep up with the demand to release frequent app updates
  • Improved competitive advantage: Masters are 2.5x more likely to say they are moving fast enough to out-pace their competitors
  • Healthier top and bottom lines:  Masters have a 40 percent higher rate of revenue growth and a 50 percent higher rate of profit growth than their peers in the mainstream

The business case for DevSecOps couldn’t be clearer. It drives business performance because, in the words of another of our masters, “security cannot be an afterthought”.

How to achieve agile-DevOps-cloud superiority in your business

(c)iStock.com/Caluian

Anyone who knows anything about the application economy is embracing agile, DevOps and cloud – and with good reason. Agile empowers you to more rapidly deliver code that more precisely meets the immediate needs of the business. DevOps helps you get that code into production without delay, and improve software quality through enhanced feedback loops between development and operations. And cloud safeguards your user experience by adaptively responding to fluctuations in session volume, data intensity and other workload characteristics.

These are the gains. But there is a myth that agile, DevOps, and cloud can also be disruptive to both IT and the business. Many fear that the migration to agile-DevOps-cloud can create new pains for both sets of stakeholders – which can lead to hesitation or uncertainty around adoption.

However, rest assured that these pains – while founded in reality – can easily be avoided.

New pains for IT

There are three commonly cited pains for IT. First, it’s true that getting agile-DevOps-cloud right isn’t easy. It requires new tools, new skills and new processes. This transformation can be especially daunting for enterprises running applications across multiple platforms of various vintages. Tools, skills, and processes for those platforms tend to be entrenched. So there is a common misperception that agile-DevOps-cloud is as much about undoing the wrong things as it is about doing the right ones.

In an organisation with many entrenched systems and processes, this undoing can be so daunting that it prevents moving forward. However agile-DevOps-cloud doesn’t need to undo entrenched systems—at least not at first. Typically, a transition starts with a business imperative: for example launching a new software application. This can be done in parallel, without affecting legacy systems. Once the business sees the benefits of this approach, the same principles can be gradually spread out to other projects and systems.

Others fear that agile-DevOps-cloud can turn into a game of Whack-a-Mole. Just when you solve one bottleneck or quality issue, you discover another. Get your scrum management tight, and you realise you need service virtualisation to accelerate testing. Implement service virtualisation, and you realise you need to get better at looping input from the field back into your requirements.

However while striving for speed and quality can be ceaseless, it doesn’t need to be gruelling. This game of Whack-a-Mole can be largely avoided by proper planning. Think through the bottlenecks in your organisation and try to address them proactively at the start of your project. Of course, like any improvement project, there will always be things that weren’t foreseen—but rather than think of these things as a negative, it’s better to view them as opportunities for continued improvement.

Which brings us to the third perceived pain-point for IT. The argument here typically goes something like: “sure, agile-DevOps-cloud can help your company achieve competitive parity, but it doesn’t automatically produce competitive advantage.” To an extent this is true—if everyone is using a particular tool, it’s not an advantage by itself. Differentiators are only differentiators when they are different.

It is true that the vast majority of enterprises use clouds today; and agile is also used by more companies than not. However DevOps adoption—which is really just a fully executed extension of agile principles throughout the organisation, enabled by cloud—still remains relatively low. Advantage will only come with a combination of superior agile-DevOps-cloud execution and a superior business model.

Good isn’t quite good enough

On the business side, business leaders need to recognise that good isn’t good enough when it comes to IT improvement strategies.

Just as the goal of IT should be enabling the business objectives, so too must the business support and enable IT transformation. Business leaders should be careful about congratulating themselves for merely investing in digital just enough to get a “me-too” mobile app out the door. It takes more commitment than that to achieve true agile-DevOps-cloud superiority, and that requires the support of both business and IT leaders.

Finally, an operationally superior agile-DevOps-cloud pipeline is only half the story. Operational superiority and even the best coded software application doesn’t guarantee to win the hearts and minds of customers. For that to happen, the business itself must come up with really smart, well-differentiated digital value propositions. That’s something that can be enabled and enhanced by a superior agile-DevOps-cloud strategy, but at the end of the day the business needs to have a product customers want to buy.

Ultimately, the key takeaway businesses and IT should get from the agile-DevOps-cloud triad is this: competency does not equal excellence, and complacency kills just as easily as ignorance will. The goal for agile-DevOps-cloud adoption cannot merely be “keeping up with the Joneses”- rather, competitive excellence needs to be the end-game for businesses looking to leverage agile-DevOps-cloud.

The good news, of course, is that if you achieve agile-DevOps-cloud excellence and if your business can creatively re-think its value to the customer, the rewards can be tremendous. Just ask the folks at Dollar Shave Club or Jet.com.