Like the popular children's character Dora the Explorer whose message to children is to discover their potential by questioning and exploring the world around them, DevOps Research and Assessment (DORA) exists to support the software industry to explore and identify more efficient ways to operate and measure the success of their DevOps programs.
But as with any challenge, success can only be recognised when there is a benchmark to measure against. And the truth for many organisations is that CIOs are often flying blind on the ROI from their total investment in software development, IT operations, and application security.
In fact, whilst many CIOs can tell you what their total technology spend is across people, software licensing, and infrastructure, they struggle to put this in ROI terms related to business impact and time-to-value.
In DevOps and Agile processes, once we can measure a process, we can identify opportunities for greater efficiency and begin to correlate those opportunities with business value, connecting the entire organisation with a common goal and vision.
Put simply, the better your ability to measure, the more you can start to focus on ROI.
If you are just starting out on your Agile journey or are looking to connect your existing Agile processes with other groups and lines of business, let DORA be your guide to understanding and implementing effective measurement principles for DevSecOps, providing a critical compass towards improved ROI and business maturity.
DORA metrics explained
DevOps Research and Assessment (DORA) espouses four key metrics that are straightforward, focused, and easy to implement. They form an excellent foundation for your metrics initiatives, helping improve your existing DevSecOps efficiency while also offering a map? to align with business stakeholders.
The four key "DORA" metrics are:
- Lead Time - how long does it take to go from code committed to code successfully running in production?
- Deployment Frequency - how often does your organisation deploy code to production or release it to end-users?
- Change Failure Rate - what percentage of changes to production or released to users result in degraded service and subsequently require remediation?
- Time to Restore Service - how long does it generally take to restore service when a service incident or a defect that impacts users occurs?
GitLab additionally recommends our customers measure Security - how much security risk is taken on for each of these projects?
Complexity is the Achilles heel of measurement
Although the DORA metrics are a great measurement framework, trying to aggregate and make sense of these metrics is made significantly harder with a complex DevSecOps toolchain.
As data isn't housed in a single datastore, the CIO management team's time is wasted trying to capture data across the multitude of tools that developers are working with; i.e. "tool-chain tax".
The consequences are either that useful ROI metrics are never captured, or precious time and resources are wasted on manually capturing the DORA 4-key metrics, which could be spent on more productive activity.
In contrast, a fully integrated DevSecOps platform enables all metrics to be captured automatically in a single data store, helping organisations to understand the velocity, speed, overall quality, and stability of software development projects. This provides end-to-end visibility that is easily digestible for all teams (including CISOs), aggregated by group or at the instance levels, charted through high-level trends, and is directly actionable, so improvements can be made in real-time.
Like many other forms of manufacturing and production, DevOps is not just a fixed form of software delivery, but a process of exploration.
Using DORA as a vehicle for discovery, organisations have the power to track, understand and improve their processes, ensuring they can continue to enhance productivity, deliver better products, and importantly, demonstrate a clear ROI. Now that sounds like an adventure even Dora the Explorer might enjoy.