Value stream mapping in DevSecOps

Published: October 27, 2020

The pace of business change has evolved rapidly. The onus is on producing defect-free products and services that meet customer’s expectations of quality, reliability, and stability at a relatively faster rate than competitors. This requires development, testing, and operation teams to work in unison, producing codes at a much significant rate than before. 

The agile and DevSecOps manifesto shrinks development timelines, breaking the cycle into efficient chunks, enabling faster time to market and accelerating site reliability operations through automation. The agile methodology is well known for the velocity at which features can be released. However, Facebook and Google release features almost every day and sometimes multiple times a day, depending on the weightage of the features being delivered. 

Their concepts go beyond sprints and are the epitome of speed to market. This significantly shorter code to deployment is the result of automation at various stages of the development and testing life cycle.

Value Stream Mapping applied to DevSecOps

There exist various opportunities to automate processes across the development and operations phases. The challenge is finding the most opportune one. Project and operation managers need to identify the right levers that improve the ROI  without compromising quality, security, and site reliability aspects. They need to identify pockets of activity that will deliver value towards the intended outcome of faster releases and accelerated operations to market without compromising other factors. These improvement pockets are called value streams, and optimizing them will lead to better efficacies in automating the product life cycle. 

The extensive exercise of interviewing stakeholders and examining data across 4 broad categories viz. technical, process, measurement and culture, based on the scope of improvement, is called value stream mapping (VSM). VSM in DevSecOps gives teams a visual tool to measure and track the most important activity (stream) for the desired outcome (value).

Benefits of Value Stream Mapping:

  • Identify bottlenecks and pain points
  • Monitor and manage errors and defects
  • Greater visibility across the process
  • Higher collaboration between teams
  • Faster and integrated feedback cycles
  • Better context and clarity of KPIs

With firms preferring agile and DevSecOps over the waterfall approach, the whole journey must be run as a change management initiative. Within this, it is essential to identify the right value streams across the three layers of change – team, product, portfolio. 

Most projects go wrong in assessing the value streams because it is done in an unstructured manner, going by the instinct of team members. Value Stream Mappings are to be derived based on the value they add to the desired (or intended) business outcome. The right way, one that maximizes the outcomes, is to approach value stream mapping in a structured manner. An intense exercise that derives data-backed insights and combines it with qualitative inputs.

Some key questions that can help teams produce accurate value stream assessments are:

  1. How is agile implemented within practice areas? How is development in tune with test-driven development? What is the maturity in adopting tech practices like low code/no code?

  2. Are quality engineering principles being followed? Are developers following standards? Do they meet quality standards? Is there compliance with design standards?

  3. From a DevSecOps standpoint, how are the release cycles being run? How much of this process is automated to allow straight-through processing?

  4. From a site reliability perspective, is the incident management process automated and feedback looped in for engineering improvements?

  5. Customer dissatisfaction may not necessarily arise from feature quality but also from the quality of infrastructure. In this case, how are features managed in production post-release?

  6. How is the app architecture being built? Are they scalable, loosely coupled to allow plug and play? Is there a shift towards microservices, Kubernetes, in such a scenario?

Answers to such key questions form the intelligence for assessing the AS-IS state. The next step involves analyzing value streams with these inputs in focus. Qualitatively, the analysis should center around current project artifacts, process design, SOPs, SLAs, tools, etc. along with cultural fitment and ability to consume change.

Quantitative analysis uses metrics based on process data. For teams that are unsure of the data to be analyzed, DevOps Research and Assessment (DORA) recommends measuring Deployment Frequency (DF), Mean Lead Time for changes (MLT), Mean Time To Recover (MTTR) and Change Failure Rate (CFR). Each metric has a value and can be used to determine how successful a company is at DevOps - ranging from elite performers to low performers.

Value stream mapping in DevSecOps

Industry is rapidly ‘Crossing the Chasm’
3 fold increase in “Elite” performance level

Aspect of Software Delivery Performance Elite High Medium Low
Deployment frequencies
(How frequent the team deploys the code)
On demand
(multiple deploys per day)
(once per day)
(once per week)
(once per month)
Lead time for changes
(the time it takes to go from code committed to code successfully running in production)
< 1 hour 1 day - 1 week 1 week - 1 month 1 - 6 months
Time to restore service
(average time it takes to restore service)
< 1 hour < 1 day < 1 day 1 week - 1 month
Change failure rate
(how often deployment failures occur in production that require immediate remedy)
0-15% 0-15% 0-15% 46-60%

However, these are outcome matrices and aren’t the most favorable one if one’s looking for accuracy in mapping the current value streams. Outcomes metrics are reported in periodically -  monthly or quarterly. However, if DevSecOps needs to deliver greater ROI, value stream mapping has to involve in-process, real-time performance metrics.  e.g., Process Cycle Efficiency (PCE), a metric that helps teams identify value add times and non-value add times in a release cycle.

Post mapping the current state, teams need to identify the streams that

  1. Generate more velocity towards the intended goal and

  2. Generate more wastage: Wastage in preproduction and post-production are usually defects, production incidents, toil, bugs, wait time, underutilized teams, inventory, extra processing, and handoffs

Once wastage is identified, the team is left with the most profitable value streams, pockets of excellence that they can focus on. Specific automation can be applied to these cases to expedite the outcomes.



Value stream mapping is a repetitive process that organizations should undertake regularly. It puts in the spirit of continual improvement, helping businesses deliver high-quality products with increased throughput, security, and stability, thereby creating value for the customers.


Transformative digital technology solutions

Dramatically increase the success of your digital transformation

Related content