No longer the domain of shadow IT, Software as a Service (SaaS) platforms have become an integral component of the modern enterprise. Indeed, ‘cloud first’ is often the rallying cry of the modern CIO’s bimodal IT strategy. Nowhere is this more prevalent than in the huge growth and expanding footprint of the Salesforce portfolio of products and services. However, with great growth comes great responsibility. As with any good enterprise citizen, strict yet flexible governance should be front of mind.
Given security should underpin every decision we make in IT, DevOps might be more accurately called DevSecOps. It is the natural embodiment of good governance as it relates to developing, delivering and operating IT software and services – without a clearly defined governance strategy an effective DevSecOps approach is doomed to fail. However, good governance is lean governance and should never compromise a business's agility or stifle innovation.
But before we can securely develop, deliver and effectively operate a service, we must assess and prioritise it. Consider the brilliantly simple yet powerful IT4IT cloud operating model. This go-to, vendor-neutral framework for managing the business of IT can be split into four service lifecycle phases:
Strategy to portfolio: Align, assess and prioritise portfolio demand
Requirement to deploy: Architect, design and build services
Request to fulfil: Catalog, fulfil and manage service usage, delivery and expectations
Detect to correct: Monitor, measure and proactively manage resolution of incidents and outages
While IT4IT is not the subject of this article, it provides a useful example for demonstrating a familiar IT operating model, allowing us to illustrate the IT value chain and frame a broader discussion around delivering successful Salesforce initiatives. Our focus then, will be on managing demand and demonstrating how solid governance and a culture of collaboration and shared responsibility can set an organisation up for success.
Properly managing a pipeline of demand is essential and enables an organisation to effectively address Salesforce programs and projects across multiple business units, dependencies and systems.
Aligning, assessing and prioritising will help in enforcing governance through quality checks, information security, standards and compliance alignment. All while cultivating and fostering a culture of shared responsibility and trust from the outset through collaboration and cooperation. These are key facets for any successful DevSecOps strategy.
We can consider managing demand from two perspectives: the PMO and the 'IT Operating' lens. Though never mutually exclusive, this article will focus on demand management from an IT Operating perspective by exploring the following questions:
Given collaboration is fundamental to success, establishing a cross functional team from the outset is crucial. Typically, business sponsors and senior stakeholders will drive the conversation while project managers, product owners, security, enterprise and application architects, testing, service delivery and change managers will contribute across their specific areas of expertise.
Importantly, this is not to drive requirements or talk solutions, but to ensure alignment to governance and compliance standards, and formalise the roles and responsibilities of the collaborative team.
This is where we align an initiative with a business's overall corporate vision, strategy and goals, and identify the inherent risks in developing and operating it. How does it align with other 'inflight' and pending programs, and how might we define and continuously measure the initiative against KPIs?
This ensures alignment between IT and the business, as well as better utilisation of available budgets and resources. It also assists in the adoption of new services across the organisation.
Next comes an assessment of the underpinning business drivers and technology makeup. Understanding and mitigation of risk is essential. This includes, but is not limited to legal and regulatory compliance, Salesforce org strategy, business continuity, privacy, security, architectural compliance, and social impact.
This involves looking at the regulatory compliance requirements mandated by the organisation and the broader context of its ecosystem and particular geographies. At this point we look at the established repeatable strategies, processes and controls that are in place to ensure we meet and can measure compliance on an ongoing basis.
A privacy assessment identifies and records the essential components of any proposed service containing significant amounts of personal information, and establishes how the privacy risks associated with that system can be managed.
Consider where this service will be implemented based on a defined Salesforce 'org strategy' using the following levers:
Organisations must mitigate service availability and data loss through robust data backup and recovery strategies to ensure the business can continue to operate in the event of service downtime. Furthermore, continued monitoring and measurement of service performance is essential to proactively mitigate data loss incidents and breaches.
The service must comply with the guiding architectural principles. Often tradeoffs must be made when implementing systems due to time, resource and budget constraints. The following pillars taken as a subset of the AWS Well Architected framework are an excellent template for all modern cloud services:
How does the service leverage enterprise-wide shared service infrastructure? Consider the following:
Machine learning and artificial intelligence are increasingly integrated into commodity cloud services, and the more sophisticated and ubiquitous AI becomes, the more impact it will have. Salesforce offers its Einstein service in multiple flavours and its technology is extremely and increasingly versatile and powerful. As such, an assessment of the potential impact of AI becomes an important step in assessing overall demand.
Automated systems making intelligent decisions have major societal, legal and moral implications. Organisations must recognise this and consider unsupervised AI decision making in the context of human interactions and privacy.
Indeed, in time, we may need to broaden the DevSecOps portmanteau to DevSecPsyOps and introduce the requisite roles and disciplines across our service lifecycles. Consider how an intelligent agent interacts with a human, for example – should it have been trained in culturally appropriate interaction so as not to cause offence?
Consider an HR system making the decision to fire an employee or a recruitment management system assessing suitability for a job application. We’ve already seen examples of biased intelligent candidate screening – these are just a handful of examples that on the surface embrace AI for efficiency gains but may result in unintended consequences.
Organisations will have differing priorities, assessment strategies and business drivers depending on the size and scope of an initiative. Once approval to proceed has been given, budgets have been allocated and resources are available, an organisation has a much better handle on the size and shape of the delivery.
Transitioning to the Requirement to Deploy phase can allow the DevSecOps mantras of 'people, process and tools' to truly shine through. The iterative design, development, testing and release of quality software artefacts, where compliance is reinforced through predefined manual and automated assurance gates, can then begin with confidence.
Watch this space – up next we’ll discuss the Request to Fulfil and Detect to Correct phases of the overall service lifecycle, and how the DevSecOps approach ensures a smooth transition to ongoing service management and support.
To learn how Salesforce Architects can help you achieve your vision, download the ‘Transforming Business through Strategic and Technical Guidance’ ebook.