In 2022, DORA continued its investigation into software development and operations, and the capabilities which drive performance. This year’s deep-dive investigations included security, reliability, and culture. You can download the 2022 report here.
The biggest predictor of an organization’s application-development security practices is cultural, not technical
High trust, low-blame cultures focused on performance were significantly more likely to adopt emerging security practices. We noticed that teams who focus on establishing these security practices demonstrate reduced developer burnout; teams with low levels of security practices have 1.4x greater odds of having high levels of burnout than teams with high levels of security practices. Further, teams with high levels of security practices are 1.6x more likely to have high levels of organizational performance than teams with low levels of security practices.
The key variables that impact organizational performance tend to fall in the following categories:
Organizational and team culture High-trust and low-blame cultures tend to have higher organizational performance. Similarly, organizations with teams that feel supported through funding and leadership sponsorships tend to have higher organizational performance. Team stability and positive perceptions about one’s team also tend to lead to higher levels of organizational performance. Lastly, the companies that offer flexible work arrangements are the companies that tend to see high levels of organizational performance.
Reliability Both the practices we associate with reliability engineering and the extent to which people report meeting their reliability expectations are powerful predictors of high levels of organizational performance.
Cloud Teams continue to move workloads to the cloud and those that leverage all five capabilities of cloud see increases in software delivery and operational performance and organizational performance. Multi-cloud adoption is also on the rise so that teams can leverage the unique capabilities of each provider.
DORA has long postulated that many of these effects depend on a team’s broader context. For example, a technical capability in one context could empower a team, but in another context, could have deleterious effects.
Software delivery performance’s effect on organizational performance depends on operational performance (reliability), such that high software delivery performance is only beneficial to organizational performance when operational performance is also high. Implementing software supply chain security controls like those recommended by the SLSA framework has a positive effect on software delivery performance, but only when continuous integration is firmly established as a capability.
Technical capabilities build upon one another. Continuous delivery and version control amplify each other’s ability to promote high levels of software delivery performance. Combining continuous delivery, loosely coupled architecture, version control, and continuous integration fosters software delivery performance that is greater than the sum of its parts.
Teams that recognize the need to continuously improve tend to have higher organizational performance than those that don’t.