Cisco on Cisco

Business Management Case Study: How Cisco IT Uses Software Configuration Management to Minimize Business Risk


Application change management process improves software quality and developer productivity.
CHALLENGE: BALANCING INNOVATION AND RISK

Terry Clark, director of IT for Cisco Systems® ,describes change management as, " the attempt to manage the classic IT struggle: agents for change versus agents for stability. " She says, "CIOs are tasked with implementing ongoing change to support and lead the business toward profitability. Yet they're also expected to help ensure that rapidly-changing systems remain stable. "

Early in the company's history, Cisco management consciously tolerated the risk inherent in a high rate of change. On occasions when risk was unacceptable-for example, during month-end and quarter-end closes, or when the company deployed major application upgrades, IT imposed a resrtiction on change.

As the business matured, the need for a more balanced approach to risk increased. The Cisco® IT organization began mediating between agents for change, such as developers, and agents for stability, such as operations personnel."IT organizations are more successful when they recognize the struggle and know it will never be resolved, " says Clark. "And it shouldn't-if either side 'wins,' you lose balance."

Evolution Of Application Change Management At Cisco Systems

Clark identifies three phases of application change management in Cisco's history: informal, production promotion, and software configuration management (SCM).

Phase 1: Informal, until 1995

Before 1995, Cisco IT did not impose formal controls on change. The same person who developed the code could also place it into production. Sources of risk included a lack of documented code reviews, inconsistent developer standards, and failure to understand the dependencies between new code and existing code on the server. Cisco IT focused on a single piece of code rather than on the entire release. The need for change management increased when Cisco began using more complex, integrated applications, where a problem with one application might lead to problems with others.

Phase 2: Production Promotion, 1995 to 2003
"In the old paradigm, developers were responsible for code version tracking, code deployments, application patch processes, quality reviews, security controls, and dependency tracking—in addition to their core competencies of design and development. Now, developers focus exclusively on their core competencies while SCM provides centralized and automated mechanisms to help manage and predict change."

Terry Clark,
Director of IT for Cisco Systems.

Cisco adopted basic application change management in 1995, when it deployed its first Oracle enterprise resource planning (ERP) implementation. At that time, Cisco IT began enforcing segregation of duties: the person who developed the code could not also be responsible for placing it into production. Instead, a developer who wanted to change a line of code would submit the request through a Web-based application-change tracking and development tool. The tool helped ensure compliance with file-naming standards and identified other errors, sending the code back to the developer for any necessary corrections. An automated workflow routed the request through the required approval steps, before the Cisco IT SCM team placed the change into production during an agreed upon deployment window. This relieved developers of the responsibility for deploying code to production. Even if they wanted to deploy, they couldn't, because the Cisco SCM team helped eliminate their ability to sidestep the system. "Segregation of duties provided a safeguard to staff, contractors, and the business against the possibility of malicious or unintentional damage through accident or incompetence," says Clark.

Phase 3: Software Configuration Management, 2003 to present

For some companies, simple segregation of duties is adequate to help ensure security and reduce risk. As Cisco prepared to deploy Oracle 11i, this approach was widely viewed to be inadequate because of the overall complexity of the Oracle 11i environment and the aggressive release schedule. By 2003, several factors had convinced Cisco IT that it needed to bring greater rigor to application change management. Examples of this include:

Implementation of Oracle 11i - "Oracle 11i would introduce an unprecedented amount of change for Cisco," says Clark. "We had 400 to 500 developers writing code, so simple production promotion couldn't provide the kind of tracking and management we needed." Before deploying Oracle 11i for the Cisco customer care business flow, the Cisco SCM team conducted an analysis which examined the business risk associated with failing, and concluded that Cisco IT would need to deploy stricter application change management processes if the Oracle 11i deployment was to be successful. The mandate for industry-standard SCM came from the Oracle 11i program manager in the Cisco release management office.

The Sarbanes-Oxley Act - Company executives are now held responsible for financial information reported to the outside world. This adds to the motivation for helping to avoid outages that affect the timely delivery of accurate information.

Transition to a process-focused enterprise - Cisco IT's transition to a process-focused enterprise is increasing the scale and complexity of software implementations. Overlapping IT projects help generate high volumes of change and cross-functional dependencies. Reducing operating expenses due to system failures even as complexity increases remains a company priority.

To meet these challenges, Cisco needed a new paradigm for managing software projects that would help increase quality, mitigate risk by creating processes that are repeatable and predictable, and reduce development costs. An important component of this strategy was SCM.

Figure 1. Cisco IT SCM Team Applies Resources, Processes, and Tools to Support Controlled Access to Production nvironments

Click on Image to Enlarge popup

IT Software Configuration Management At Cisco Today

The Cisco IT SCM team, a developer-facing group within the Cisco infrastructure organization, is driving the paradigm change. In the old paradigm, developers were responsible for code version tracking, code deployments, application patch processes, quality reviews, security controls, and dependency tracking-in addition to design and development. In the new paradigm, developers focus exclusively on their core competencies, while the IT SCM team provides centralized and automated mechanisms to manage and predict change.

The most visible difference for Cisco IT since it adopted SCM is its ability to evaluate new code earlier in the software introduction process (Figure 1). "Before 2003, Cisco IT became involved in change just before an application was moved into production, to help ensure the code was documented and stable in a test environment," says Clark. "Now, new code is under SCM control as soon as it leaves development."

Responsibilities

The Cisco IT SCM team's primary responsibility is application code migration. The team's other contributions include: application configuration migration, facilitation of quality control and analysis, environment management, application patch management, and coordination with the Cisco infrastructure change management group.

Tools

The Cisco IT SCM team uses an application-change tracking and development tool for application governance, as well as an archiving software version manager. By requiring that all code be stored in a single archiving version manager, troubleshooting is simplified and quality is improved.

Process

The Cisco IT SCM helps improve quality by applying repeatable processes for managing change and predicting its effect. "Previously, engineers and developers deployed changes ad hoc, often inflicting collateral damage because the cross-team dependencies weren't obvious to every developer, " says Clark. " The impact of changes was not always well understood before the changes were deployed into production. In the new model, we enforce consistent governance rules throughout the deployment process. Accountability is clear because automated audit trails identify the necessary approvals at each phase. "

The Cisco IT SCM team also automatically monitors code for naming standards, and returns it to the developer if standards are not met. Earlier intervention results in more repeatable, faster deployments, with fewer errors.

RESULTS

In of the second half of 2003, Cisco tested its new SCM process on the Cisco Customer Care business flow, a subset of the issue-to-resolution business flow. Cisco Customer Care is a customer relationship management (CRM) application implemented on Oracle 11i.

Cisco achieved its three main goals for change management: increasing quality, reducing risk by helping ensure that processes are repeatable and predictable, and reducing development costs. " Overall, SCM has resulted in a stable, flexible, more productive environment for our customers, partners, and IT team," says Clark.

Increased Quality and Reduced Risk

By adopting SCM for Oracle 11i earlier in the software introduction process, Cisco IT has enhanced quality through earlier detection of dependencies and deviation from standards, such as file-naming conventions and installation practices. "Compared to Cisco's use of informal application change management, deployment-related outages have dropped by 90 percent-from 10 to 15 outages per quarter to just one," says Clark. "Our processes are now repeatable, standardized, and scalable, because they're automated, and they also provide an audit trail for easier reporting within the company."

To explain the impact of the change, Clark offers this analogy: "Before, we were the doorman, letting all code enter in an orderly fashion. Now we're the sheriff, thoroughly checking code months before it comes to the door by communicating file-naming standards and forcing code to be installed in standard directories. As a result, we've reduced the risk of developing and deploying solutions that don't work well together."

Increased Developer Productivity

Developers are able to be more productive because the Cisco IT SCM team has assumed responsibility for context activities outside developers' core competency, such as code-version tracking, code deployments, application patch process, quality reviews, security controls, and dependency tracking. In addition, application maintenance takes less time because the Cisco IT SCM team enforces standards that make applications more sustainable. "According to the Cisco Customer Care team, they were able to hire 10 percent fewer people than anticipated," Clark says.

Improved IT Service to Internal Clients

Because the software version manager and application governance tools create a detailed audit trail, the Cisco SCM team can now offer its IT clients a reporting service that lists failed deployments and provides the reason. The reports provide quality metrics, such as, "Of 1000 lines of code, 10 percent failed deployment because of quality issues." This helps to suggest that the developer should spend more time helping to ensure quality before the next cycle.

Cisco IT also provides clients with a velocity of change report, which indicates the maturity of an application before it leaves a test cycle based on how much of the application changed that day. "If the report indicates that 500 of 1000 lines of code changed that day, leaving the test cycle would be ill-advised," says Clark. "This information, which we now have for the first time, gives the release manager the information he or she needs to ask for more time for testing.'"

Clark notes that the quality metrics support Cisco top-level goals to become a process-oriented organization. "We now have metrics to better understand our progress, instead of relying exclusively on the project schedule and where it says we should be," she says. "With the use of SCM, IT is putting in place a tangible process that helps ensure quality. It's a new way of working."

Enhanced Scalability

The complexity of the Cisco application environment is continually increasing. The Cisco IT SCM processes and tools implemented in 2003 have scaled to accommodate a steadily increasing number of languages, developers, applications, and sites, and currently support 14 organizations and an increasingly distributed development environment.

Employee Acceptance

"Vice presidents and directors think the Cisco IT SCM process is great, " says Clark. "The developers are adjusting to a new way of working. Many are accustomed to coding, having it break during testing, and then fixing it. The new process encourages them to get it right the first time ."

NEXT STEPS

Implementing other Oracle 11i business flow - Cisco compiled lessons learned from the Cisco Customer Care business flow and is applying them to other Oracle 11i business flows, including Quote-to-Cash, Procure-to-Pay, Plan-to-Build, and Hire-to-Retire. SCM will be integral to deployment. "The Cisco culture is evolving to regard SCM not as a luxury, but a necessity," says Clark.

Implementing SCM for Web applications - IT SCM is extending the model it implemented for Oracle 11i to critical Web-based applications used for revenue generation, revenue recognition, and customer service, including Cisco Connection Online , Cisco Connection Internal, and Cisco Connection External.

Concurrent development - Currently, Cisco IT deploys and distributes various code versions on all development servers. With concurrent development, multiple developers can simultaneously work on different revisions of the same file, enabled by a centralized archive software version manager, which Cisco is currently implementing. When code storage is centralized, organized, and tracked, developers anywhere in the enterprise will be able to access code through a Web-based interface. Concurrent development overcomes a historical challenge at Cisco: if a new release of code is planned for 30 days after the previous release, the second developer needs to wait for the code to be completed and unlocked. Concurrent development helps enable more relaxed development cycles and improved code quality. "Centralization will give us visibility into concurrent development and will allow us to track the changes between versions and merge them whenever we want," Clark says.

CONCLUSION

Over the next few years, Cisco hopes to increase its business capabilities and improve its productivity. The Cisco IT has begun tackling these goals with large, overlapping deployments with many interdependencies, making scalable processes, such as SCM, as essential as a scalable network infrastructure. "To support the company's ambitious agenda, it is essential that Cisco IT quickly elevate its ability to manage and predict change across multiple, large-scale, complex deployments," says Clark. "The volume and velocity of change facing Cisco IT requires nothing less."