Our thinking: Modernize delivery of IT applications and products

Adopt a “product factory” approach at your organization

Innovate quickly, with less risk

So you’re the chief information officer at a legacy company. How’s it going?

Odds are, things could be better. Mature organizations like yours often labor under legacy information technology (IT) operating models with governance, risk and control requirements that more agile, cloud-native start-ups don’t have to navigate. You may be struggling to deliver timely releases of new software capabilities to support the demands of your business and finding it hard to rapidly incorporate customer insights into new product releases.

If so, you may have heard complaints from your chief executive officer along the lines of “these disruptive start-ups are eating our lunch” or “we can’t turn ideas into products fast enough to keep pace.” More near to your pride and wallet, you may be hearing comments from the C-suite or the boardroom like, “I don’t think we can do this internally” and “we have to look outside our own four walls to get us where we need to be.”

Well, maybe. Certainly the additional IT talent your organization needs is hard to come by right now. There’s a good chance your team is already overworked — perhaps even burned out. That’s hardly an environment to get people excited about innovating. Layer on ever-growing demands on the cybersecurity front, which require that you integrate security directly into product development lifecycles, and the pressures on your IT organization are substantial.

But not insurmountable. Languishing under legacy obstacles isn’t what you or your organization deserve. Nor is it necessary. At KPMG, we believe legacy IT organizations can learn to innovate quickly, with less risk, if they are willing to embrace what we are calling a “modern delivery, product factory” approach to operating.

What, exactly, is that? The idea is to continuously anticipate and deliver on the new digital capabilities that your customers, both internal and external, need or want. It’s an approach that relies on business and technology teams being tightly coupled across all phases of the development lifecycle, oriented around products rather than projects, and aligned by objectives and key results. It utilizes modern application architectures and a framework for iterative software development, such as the Scaled Agile Framework, for implementing agile practices at scale. And it integrates security testing and protection throughout the software development and deployment lifecycle using a development, security and operations (DevSecOps) approach.

Under a modern delivery, product factory model, IT organizations focus more on delivering value than delivering code. This means they restructure their operating model to focus more on the value they are delivering to their internal and external customers and less on how many lines of software they develop.

Adopting a modern delivery, product factory approach to software development requires that you change the way you measure productivity (i.e., switching from legacy metrics to product-based metrics) and that you change your culture — from “build it and they will come” to “build what the customer has requested.” Under this customer-centric operating model, you only build what your customers ask you to build and you use continual feedback loops to drive your ideation and demand management processes.

Realizing the full potential of a modern delivery, product factory model also requires that you scale your good development practices across your entire development organization, which can be easier said than done. While getting one or two small teams to embrace new methods of development may be easy, getting an entire organization onboard can be challenging. Many traditional approaches espoused by consultants and software vendors would advocate for a “maturity model” for achieving scale. But as Nicole Forsgren and her co-authors point out in their book about the science of DevOps, Accelerate, “The key to successful change is measuring and understanding the right things with a focus on capabilities — not on maturity.”1

The authors of Accelerate identify four key reasons maturity models represent a flawed approach to measuring DevSecOps success. Their argument, to summarize, is that maturity models assume a linear approach to achieving outcomes that proceeds step-by-step from a starter level to a more advanced level in a single, one-time, linear methodology. But DevSecOps is not implemented properly if teams are thinking they only need to do X, then Y, and are then done. Rather, DevSecOps works when teams believe in continually improving their processes and procedures and continually optimizing their ability to increase workflow throughout their systems.

A key characteristic of elite performers in the DevSecOps space is their ability to embed DevOps processes directly into the delivery supply chain and make them easy to practice. They do this by building a repeatable, factory-based approach to delivering products and services that includes all the necessary automation, security and governance controls. We call this a factory-based approach because, much like an automotive factory, it incorporates beginning-to-end development lines that produce consistent, repeatable, high-quality software each and every time.

A framework for success

KPMG has developed a framework for helping companies implement a modern delivery, product factory approach to software development that addresses the five foundational pillars of software development: (1) value stream management, (2) ways of working (agile), (3) development lifecycle (dev), (4) operations lifecycle (ops) and (5) security and governance (sec). Let’s take a quick look at each pillar:

  1. Value stream management reorganizes your company on both the business and IT sides of the house to focus on identifying your value stream delivery chains and aligning them to your strategic enterprise goals.
  2. Ways of working focuses on how your DevSecOps teams work together to deliver products and services in an iterative, repeatable fashion. This may involve one method, such as agile, or multiple methods such as lean, agile and scrum. The idea is that each team adopts the method most effective for them.
  3. The development lifecycle focuses on DevSecOps concepts of continuous integration and continuous deployment. The goal is to build a fully automated pipeline for performing these functions.
  4. The operations lifecycle focuses on where the product will land (e.g., cloud, internal, software-as-a-service) and how to keep it running smoothly once it’s in production.
  5. The security and governance lifecycle is where companies take a strong look at their security controls to ensure they cannot be breached at any point during the software development lifecycle. The best way to do this is to embed security and governance into every aspect of the lifecycle from ideation and development through production.

Contact us

For organizations that have completed these fundamental steps, KPMG can help with piloting modern delivery capabilities and prioritizing the required culture changes. Finally, we can help with planning, building and executing your modern delivery, product factory program across your portfolio of products.

To learn more about how KPMG can help you transform your IT organization for tomorrow’s challenges and opportunities, contact us.

1Nicole Forsgren, Jez Humble and Gene Kim, Accelerate: The Science of Lean Software and DevOps: Building and Scaling High Performing Technology Organizations, IT Revolution Press, 2018.

Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.