When Federal people ask to secure a DevOps app creation and delivery process, what do they mean? Chris Willis joins me in this episode to answer that question with a #vmwaretanzu customer example that does all the DevSecOps stuff: the Tanzu Build Service, buildpacks, Tanzu Application Service (Pivotal Cloud Foundry), and other components. He covers FIPS encryption requirements, STIGs, working with the authorizing official, and the overall practices and culture-think for securing build pipelines.
What problem is DevSecOps solving? Was DevOps not secure already? In this video, I go over my understanding of what DevSecOps is and use container security as an example.
Hiring people with the right software skills is hard – for all of us! But it shouldn’t be as big of a problem as we make it out to be. Maybe there’s another way to “find” the right people…
Changing how one team does software is easy, changing 500 is another thing entirely. How do you scale culture change, digital transformation, and all that? Coté explains how with a couple real world examples.
According to a recent Forrester Research recontact survey of global CIOs and SVPs, 58 percent of respondents now rank “changing our business model” as a top priority. How does IT need to change to help? When it comes to custom written software, there are three ways: (1) move from a project to a product mindset, (2) give developers a standardized platform, (3) manage for innovation, not delivery. Coté discusses each of these, with real world examples.
Beyond, you know, not working, there’re good reasons to take vacation. Your brain will function better, your quality of work will be better, and all that digital transformation stuff will go better if you’re not running at full capacity. Management can do a lot to encourage people to take vacation and get charged up for work. In this episode, I got over three reasons why you should take vacation and three ways executives can make sure you do.
Summary
For staff:
You need to be limber for crisis time – organizations are killed by when things go wrong, so you need to focus on the “black swans.” De-stressing is good for this. Save up your stress budget for avoiding destruction.
Vacation is part of your comp. don’t let your employer cheat you, rather, don’t cheat yourself!
Always focus on the system, and then yourself – if you feel inadequate, it’s likely a system fault. You can focus on fixing that. But, you shouldn’t let it make you think you need to prove your worth.
For managers:
First, you need people who are relaxed and well functioning. They can’t be stressed. I mean, I don’t know what else to tell you here.
Executives need to lead by example – take time off; proactively tell staff to take a day off.
Give more days off to show your commitment.
Schedule work around holidays – Thanksgiving and Christmas code complete and GA dates are dumb.
Many people use “regulations” and “compliance” as an excuse to avoid changing how they build and run software. But, what if compliance was actually a beneficial feature, and auditors were “customers” you were looking to please? “Nobody thinks of it as ‘governance’ if it benefits them. They only call it ‘governance’ or ‘regulation’ if they don’t want to do it.” Let’s see if we can turn this frown upside down.
00:00 – People don’t like governance and regulations, but everyone has it. 00:49 – The three types of apps being governed. 02:27 – Enterprise architecture governance – governing decades of app design sprawl. 04:26 – regulations, like, laws and stuff. 06:54 – Treat regulations as a valuable feature, auditors as “customers. ” 07:39 – Example: we benefit a lot from banking regulations. 08:31 – Auditors are “customers” as well 10:50 – “Governance” is stuff you don’t want to do – so, hack your mindset. 11:20 – Auditing is an overly manual, error prone process – it needs better tools! 12:00 – Use automation and cloud native stuff to make auditing better 14:23 – Example: the US Air Force automates governance. 16:28 – Benefits of embracing regulations as a feature. 17:48 – Regulations are a strategic asset. 18:25 – Example: startup banks vs. big banks. 21:43 – Embrace regulation and compliance – good customer experience, done efficiently. 25:18 – The Return of Banana Boy.
Creating an innovation-driven culture is difficult and requires deliberate and well managed change to how you operate. Scaling it to a large organization is even harder. You also need the organizational context and norms – the culture – that allows innovate practices and thinking to thrive. Nailing these down, let alone what “culture” even is, can be hard. This talk will define what an innovative culture is and then cover several proven methods for leading culture change. Throughout, we’ll draw from use cases from large organizations that have tackled the challenge of changing to a innovation-driven culture.
00:00 – Intro. 00:50 – Origin of the culture talk. 01:32 – Slides overview. 02:32 – The Reward – European baking differences. 03:28 – Start of actual talk – agenda. 05:11 – How to draw an owl. 06:10 – My bio. 06:47 – Possible special guests. 07:17 – What’s driving all this? Why care to change? 08:52 – No one actually wants to change. 10:28 – Software failure is still very common. 12:52 – Daimler example. 16:04 – But, what is “culture”? 17:40 – More detailed definitions of “culture.” 18:08 – Culture: how we do things around here. 19:08 – The team’s innovation culture tools – innovation, risk takers, people-centric. 20:51 – The Home Depot example. 23:40 – What management gives the teams. 25:22 – Kitchen example. 28:12 – Leadership changes. 31:09 – Managers must kick-off blameless postmortems. 32:10 – Scaling culture changes, esp. in large organization. 32:29 – Make vision a tool, not (just) a statement. 34:29 – Start small and seed teams. 37:24 – People can change. 40:01 – Culture metrics – measuring culture change. 48:27 – Thanks! …and further reading. 43:28 – Consulting, internal marketing, branding, conferences. 48:57 – Common Q&A questions. 49:21 – End of presentation. 50:01 – CTA! Book office hours, learn about Tanzu. 51:53 – The Return of Banana Boy.
Measuring your progress in transforming how your organization functions and runs – the “culture.”
Transcript
Tanzu Talk – culture metrics
[00:00:00] Cote: Today, I want to finish out going over some kind of starter metrics. If you remember, I went over business metrics
[00:00:11] and I also went over technical metrics and those metrics about that, let you monitor your ability to get software out the door and meantime to repair like that. Here, if you want eat those, but this last one is it’s, not, it’s quite developed as I would like it to be. It’s more of a very low starter.
[00:00:33] You will of doing things, but I think of them as culture metrics now, just very briefly I actually need to write this up for the Tanzu Developer site, Cote’s Codex of Confusion: what is culture? And, very briefly, I think of when you hear the word culture in the context of IT and DevOps and agile and cloud native and containers, and all of that, that, to me, what it means is [00:01:00] basically the organizational norms, the way that you operate.
[00:01:05] And I think this is inclusive of not only soft things like sentiment and attitude, but actual policies and organizational structure, the way that your setup. You can almost think of it metaphorically as society and culture also is a lot about attitude and getting to that point of psychological safety.
[00:01:25] Where people are free to be innovative and make mistakes and learn from them and have that product way of doing things when you’re changing your culture. So oftentimes culture comes up in, in the conversation about how you improve software and digital transformation and all that.
[00:01:43] Because people have been operating in a more it service management request driven way, an order taking way. Where there’s still an understanding in the let’s call it “traditional culture,” that software development is difficult and [00:02:00] confusing. And, but you have agile and scrum and things like that in the developer area with a product manager and owner to once the requests get into development.
[00:02:11] They run development can run in a pretty good way, by today’s standards of culture and things like that. But then in a sort of pre-DevOps way of thinking, it gets out of that little part of the development, and then it goes exactly into the same kind of command and control order giving and taking into operations.
[00:02:31] Now, DevOps was, has been nice because it’s played around at a breaking down that more and trying to unify operations staff and infrastructure people in production back to the developers. I often think about it…I used to talk about a lot of what DevOps is doing is trying to convince the developers that their software running in production is actually part of their software is actually part of the coding that they’re doing.
[00:02:57] And until their software is running in production and [00:03:00] it’s ongoing health and production, they’re not really done with the software. I’m trying to prey on that developers idea that. At least developers when I was one in once I would use to work for, there was this extreme amount of pride in committing the code and being done.
[00:03:17] Very few developers. I ever encountered were fine with just like never finishing, like it’s, a big moment. And so you extend out that idea that you’re not done until your stuff runs well in production. In fact that you get feedback about how users are using it. So you can go through. I should superimpose this all batch process of improving your software every week or every day. You’re not really done with it.
[00:03:41] So anyhow we’re trying to get to a culture where the developers are trying to innovate and come up with new things. And it requires a tremendous amount of trust from develop from management that you actually want people to do this.
[00:03:56] And I’ve talked about other places and written about it in my books, kind of ways [00:04:00] managers can put that trust in place, but. Let’s cut to the chase.
[00:04:03] So let’s say you’re a manager, an executive, a leader and you are rebuilding the system. You have, you are reprogramming your code, which is the organization, the norms, the process, the policies the culture, right?
[00:04:18] That’s ultimately I think a significant part. Of what management is doing is the culture is a product that they’re constantly building and refining. And if you remember Sophie Siewald several episodes ago, she made towards the end of the episode or the interview, she talked a lot about how making sure people are set up to succeed to put it in complete vapid language, but making sure they understand strategy and what they should be doing and feel confident that they can do that job is, the majority of what a management, especially in a remote situation needs to do.
[00:04:52] But how do you monitor that culture change? How do you see what the health is right now? Obviously, as with all measurements, [00:05:00] things will vary. You’ll come up with better things, blah, blah, blah, blah, blah. I just have three that are at least, I think, bare minimum starters to go at. So you can monitor the culture ongoing.
[00:05:10] Business success is the ultimate measure [00:05:10] And I would also say that I think when it comes to something like culture, there’s two things that are more important than metrics to measure. One of them is: are you succeeding at your strategy, your goals, right? And let’s just use the simplest thing possible.
[00:05:25] Omni-channel retail, right? Like we used to sell in store; we had some kind of delivery; but now we want to sell with curbside pickup; we want to be able to deliver things; we need ways that people pay at the door instead of paying online; we need to handle returns. And, as always the ultimate rating of if you’re doing things well, is if the business is achieving the goals and things that it’s needs.
[00:05:49] And I would suggest that at the businesses and things are thriving well that your culture is adequate. There’s, paying attention to are you achieving the business goals that [00:06:00] you have? And this goes back to the business measurements, right? So if you’re a really boring one. If you’re in a government agency and one of your business goals is to increase customer service, increase your core job of doing things for your citizens.
[00:06:16] If you’re reducing the time it takes to fill out a form and get whatever approval to renew a license or whatever the process is that someone has to come in and you’ve got to transact with a government official to verify your identity and make sure that you’re verified to do whatever it is.
[00:06:30] You’re getting permission from the government to do or…whatever the license, you just want to rent a picnic table at a park and you’ve got to fill out a form somewhere to reserve it for a Saturday between the hours of 9:00 AM and 12:00 PM. That would be a use case where, us in the regular world would expect that we would go to a website, fill out a forum, see when it’s free and busy and within minutes we could book it or not.
[00:06:58] And we could also just search around just [00:07:00] like you would search AirBnB or, look for a washer and dryer. You could search around the entire city or county or region and find tables that were available and you could see pictures of them. Having that good customer experience would be a th the amount of time it takes the completion that people have to booking things.
[00:07:19] Would be a business metric you’re monitoring. And if that was improving, that would be a great sign that your culture is doing well.
[00:07:25]Are people happy? [00:07:25]
[00:07:25] And then I think a second one is the it’s, the unmeasurable thing of just like sentiment that people have. So just walking around and getting a sense of how people are when you and management have an all hands meeting and people are crossing their arms and no one really asks questions, and, especially if all they’re asking questions about is like benefits and compensation that have been changing, like the mechanical stuff – don’t get me wrong, those questions are important – but if people aren’t asking questions about the actual business and their product that you’re working on, there’s probably something odd going on, right?
[00:08:00] [00:07:59] They’re looking at their role as purely transactional. And in fact your relationship with your staff may be purely transactional, and that’s a good indication that you’re not angling towards that type of product innovation culture. That if you watch me talk about anything you’re obviously interested in, because you want to run your business or your organization better with software is the primary way of doing that a product driven approach.
[00:08:23] So there’s those things to look at. But let’s look at three actual measurable things. That I’ve seen people using that. I think, again, they’re not sufficient at all, but are a good start at things.
[00:08:35]eNPS [00:08:35]
[00:08:35] So the first one is NPS net promoter score is a great I, don’t want to try to get my leading and trailing indicators mixed up, but I think it is, it’s an ongoing good way of figuring out people’s sentiment.
[00:08:53] And what I always like about NPS is it’s not just like, how would you rate this? What is because the [00:09:00] the issue you have with let’s call it star ratings, right? When I rate delivery or when I rate a picnic table that I rented from the city. Like a lot of what you’re actually rating is how your experience was right.
[00:09:14] Like how your interaction on that day on that minute was. And so if it was rainy and like the people who were previously there forgot to clean up the picnic table and your…your, daughter had an exploding diaper that you had to clean, you’re probably going to give it less of a good rating than you would if things were sunny; and when previous to you had picked everything up; the diapers were fully functional for your daughter and that she didn’t even need to have a diaper change at the time; and everyone was happy and had a good time. You probably would give that table a high rating when really what you’re rating is the experience you had.
[00:09:51] So I think that comes up a lot in employee survey stuff. How would you rate your manager? How would you rate this? And of course, as [00:10:00] I’ll get to those are important, but NPS I think is interesting because it says “Do you like this thing enough that you would risk your reputation to tell a friend of yours that they should also do it.”
[00:10:14] So that requires a different layer of analysis, whether it’s a product thing or as here, right? Would you ask, would you recommend someone working at this organization? Because it really, I think it requires the person answering it to shift the way they evaluate things away from their own experience and especially doing it ongoing in an aggregate I think it’s a good indication of what people think, obviously if they like the culture, even if they see that it’s improving. They’re probably more likely to recommend it to a friends and family that they have to work there.
[00:10:45] Now, my criticism of NPS is that it’s like way too complicated in like the strange system that I’m sure has some basis in mathematical reasoning, but it’s it’s on a scale of one to 12 and if someone is in an eight, then [00:11:00] it’s good. And anytime you have a scale from like one to 10 and only like the top two are good, I always wonder What are we doing with all those other numbers?
[00:11:08]Belief in strategy [00:11:08]
[00:11:08] So next, this comes up if you do annual surveys a lot, but I think it is an important thing to figure out, getting answers to. And it gets to that, alignment to strategy. And that is figure out some way a regularly asking if people believe in the strategy that you have, and also believe that the leaders know what they’re talking about. And I think when you do anonymous surveys it’s pretty easy. It’s an outlet for people to complain about management, not doing anything.
[00:11:37] And so I would listen to that very closely, especially in it, one of our favorite phrases is what are those people actually do, right? If you don’t see someone doing work and you don’t have, you don’t benefit from the positive or negative effect of their work, basically, if you’re in IT, you assume they’re doing nothing and unfairly getting money and compensation.
[00:11:59] I don’t know. [00:12:00] Maybe you don’t, but that’s been my experience in the corporate world. It’s very zeros a game. So if you’re not for someone then what you’re basically doing is sucking up their compensation and their glory, unfairly. So you definitely want people to perceive that you as executives are doing things and hopefully it’s because you’re actually doing things.
[00:12:24] And equally importantly, like you want to constantly monitor that people understand what we’re doing and do they believe in the strategy now, the way you ask, if they understand the strategy you can just ask them, “do you understand it?” but you need to actually check and make sure that they know what’s going on there.
[00:12:39] Which again, a Sophie talked about when we talk with her a while ago. But I think she had, I haven’t thought about this long, but this is what I wanted to bring up with her on this, where you’re tracking the metric of understanding strategy. And..Again I think it’s probably good for us as a intellectual class of IT, whatever to get away [00:13:00] from military metaphors.
[00:13:02] But there’s this idea of commander’s intent, right? Where the commanders, the the, officers the leaders in the military, they can’t go down to each squad, each soldier and kind of manage what they’re doingthey can’t really micromanage them, but they just tell them their intent, their goals.
[00:13:19] And so it’s good to be able to track like when we use an OKR, for example, or an MBO or whatever, is this expressing sufficiently what our principles are and what we want to do and does that trickle down, and that can be difficult to manage, but I would focus on like one, you’re probably going to get people to ne- you need to need.
[00:13:41] You’re going to need to get people to understand what strategy even is. So you’re going to have to explain to them what this means to understand strategy and execute on it. And understand how they fit into doing all of that. But anyways, again, with a lot of metrics monitoring these two things, belief in you, the executive or the leader, [00:14:00] and then also, understanding and belief of the strategy – these are as much polls and dashboards of how your staff are doing, but also a way to force yourself to know what you’re doing and to actually do these things right. And ongoing again, get input from people about if you are, if you’re doing it, if you’re succeeding at it, if you need to tune it.
[00:14:21] Because again, the organization is your product as, a manager, as an executive, as a leader, right? It’s your software. And so just like you want your software developers to constantly be getting feedback so that they can improve the software and improve how things are going and innovate, you need to be able to do that too. You can’t have a static organization.
[00:14:39]Staff Churn Rate [00:14:39]
[00:14:39] So then finally, as a…I guess this is a trailing indicator you predict a little bit with it is I think it’s really important to, to track your staff retention and churn rate, right? Like how often are people leaving? How often do you get new people?
[00:14:56] Is it easy to replace people? And this is the other side of [00:15:00] the employee NPS is I think there’s a certain level of churn. That you actually want. And not want because of, and sometimes not only because of you want to, as they like to say, get all the dead weight out. I don’t think, I think focusing on removing people is not the positive aspect of churn.
[00:15:18] The positive aspect is getting new people in new ideas, new stuff in the system. As, we as we like to call it in normal, the normal world diversity. So it’s good to get new stuff in there so that you’re not isolated and using all the old ways. So you definitely want a certain amount of churn that allows for new people to come in and percolate that idea.
[00:15:39] But, obviously if you have a lot of people leaving that’s bad. Also, if you do have people leaving and you easily refill them, but then those people leave quickly. Your churn rate. How often do we have a revolving door of people coming in and out? There’s something wrong going there as well. Right now, this might be compensation, always a problem.
[00:15:57] They can get comps elsewhere. This is a [00:16:00] small minor thing. But one of the things that’s related to this is we all know that pretty much the only way to get a raise and a promotion is to quit your current job and get a new job. This is again, one of those things that we all know this and yet…that’s the case, which is really weird that your existing organization wouldn’t, you know, nevermind these like market rate and salary band things that HR is going to give you, because the reason you leave is because you exceed those and you get away from the HR policy when you get a new job.
[00:16:32] So it’s incumbent on you, especially as HR or people or whatever you want to call it as HR people to really think about, again, this is something to monitor. When we look at this churn rate. Nevermind, what we’ve outsourced the study to Mercer and we found out what the compensation is per region.
[00:16:51] Is that working right? Is that achieving the goals that we have or do we still have a huge amount of churn of people who leave?
[00:16:57]Wrap Up [00:16:57]
[00:16:57] So those are, these are again, three [00:17:00] kind of areas of things to start monitoring, to put on your dashboard when it comes to culture. And I think there are many, more things to monitor and I think maybe I’m not going to say the cultural ones are the most important.
[00:17:11] I think the business ones are the most important. But I think they are things that classically people don’t look at, which I think is the whole kind of notion of the three things here. So just to wrap up the series like I think most of what we focus on are technical metrics because we’re technical people in IT.
[00:17:30] And these are just four things to look over. I would also throw in I think it’s like the six SRE golden rules, and then there’s some people in Medium, who’ve made it the six plus eight. Like your 12 factor, or your 14 factor stuff, but whatever, it’s good to rethink the technical metrics that you have to align with the way that container driven software works, right?
[00:17:54] That cloud native software development works, which is why you have a change failure rate and time to restore [00:18:00] versus uptime and availability. And then of course the most important are the business metrics, which are hard to quantify, but they really require a very good understanding of what the business is and how being good at software fits into that.
[00:18:17] And you remember, I think I managed to come up with five, but there’s a good kind of overview of, some examples of things there. And then the one we went over today, the the culture metrics, right? So you, as the leader, when you were building the product of your organization, how do you monitor that you’re doing a good job at it and and get feedback, not necessarily about only things that you’re doing wrong right, that you haven’t perfected yet. But what you’re doing right yesterday may not be the right thing to do tomorrow the yesterday, today or tomorrow. So you’ve got to constantly be figuring out how to fine tune that, do things better, and you can walk around, do your gemba, your gambits.
[00:18:59] Whatever, [00:19:00] however you say shrimp, Spanish gambas – I forget you can walk around and do that kind of thing together sentiment, but you’re also going to need to come up with some metrics to track culture. So if you want to read this full article you can go to TanzuTalk.com, find the show notes for this episode.
[00:19:20] Which I don’t know, it’d be pretty easy. And you can read through that also. I wrote up a lot of this in a couple of my books that you can get for free from from us at VMware Tanzu because we licensed it from O’Reilly, The Business Bottleneck and Monolithic Transformation they’re two good books look at, I’ll put a link to The Business Bottleneck at the end here.
[00:19:45] And, down – look! I’m doing like my kid’s Minecraft yellers do down in the notes and you can click on links to all of that stuff. And then also I’ll put links to the other videos at the end as well. [00:20:00] So with that I’ll see everyone next time. Bye. Bye.
Today, I go over five business metrics to track: (1) sales/workflow completion; (2) adoption; (3) awareness; (4) cost per transaction; (5) customer experience and satisfaction. There are, of course, all sorts of other metrics, but these are some you can start with as you figure out which metrics are the best for you. Check out the article I pull this from, and read even more in The Business Bottleneck.
When you’re managing your organizational transformation, it’s too easy to forget that you, too, must change. In today’s episode, I cover five things to check on. Rather, I watch myself covering those things. There’s some extra commentary, of course.
When you’re looking to change how you do business with software, you better understand how software works. Coté shares a couple ways to come up to speed and an example. It’s another selection from his book, The Business Bottleneck.
A healthy sense of urgency – paranoia, even! – is what organizations need to keep evolving, and change in the first place. If you don’t like the negativity of that idea, you could think of it as curiosity. In this episode, I goes over the relevant section in his book, The Business Bottleneck.
All those fresh CI builds end up taking up a lot of bandwidth: someone has to pay for it! Paul joins me again to talk about the rising trend in open source projects that need to find container download patrons. In doing so, we also discuss Helm briefly. Also, we discuss some new ideas for Tanzu TV formats.
When should customize open source? As Coté says in this episode, if you have to ask, the answer is no. Rick Clark and he discuss strategic considerations for going beyond just using and embedding open source software.
Coté goes through his opening talk for “round tables” and “fireside” chats. Also, he answers the age old work-form-home question: are cucumbers good enough to transform seven month olds into good office mates?
In this episode, Coté is joined by Rick Clark and Sophie Seiwald to discuss management challenges of remote working. You know the drill: everyone has been working from home since the spring, taking away all the advantages and habits of working face-to-face. What’s new in this conversation is some advice for doing strategy communication, something that’s especially important when you’re relying on autonomous developer teams. We also discuss keeping people’s spirits up and making casual conversations with the boss more like running into each other in the hallway instead of an ominous “we need to talk” meeting.
You don’t have to make an A on everything, try for more B’s and C’s, even F’s. Doing perfect on every project is a path to failure, if not misery. So, why not be OK doing less than perfect on some projects, and completely failing on others? This is howI’m getting gets comfortable saying “no” more often, which so far has worked out.
When it comes to digital transformation, kubernetes, and app development, executives are always stressed about skills gaps. They don’t think staff people are up to the tasks and they don’t have the budget to hire new people with that occult knowledge. However, this might be more about the lack of training and strategic learning methods in those organizations. What if the problem wasn’t a lack of skills, but a lack of learning? In this episode, Coté goes an analyst report that looks at this situation and walks through some tactics to address the (supposed) skills gap.
Chapters
00:00 – Skills gaps. 00:40 – Survey says: people worry about skills. 05:37 – The types of skills that are missing. 09:19 – Three ways to get the skills your org. needs. 16:31 – Learning how you learn – don’t forget to measure. 17:14 – CTA – http://kube.academy, http://tanzu.vmware.com/developer 19:23 – Bonus: get free training from deal-hungry ‘vendors.
