What do you think?
Rate this book
Investments Unlimited: A Novel About DevOps, Security, Audit Compliance, and Thriving in the Digital Age
Susan Jones had been the CEO of Investments Unlimited, Inc. (IUI) for five years, a financial institution that has successfully navigated their digital transformation. She is quick on her feet and is trusted by the board. But right now—although you can't tell from her demeanor—she was panicking.
Today, IUI received notice from bank regulators concerning their unsatisfactory audit and compliance practices. If they failed to address the regulators' concerns within the year, the company could go up in smoke.
She didn't understand. How had her team let this happen? How had she let this happen?
Over the past several years, IUI had executed a digital transformation strategy following the business accelerating principles of Agile and DevOps. By any metric they had seemingly done things right. Feedback from customers was astounding and conversion rates for new accounts was growing faster than ever. But along the way IUIs manual governance process had become inundated with friction, frustration, and failure for the teams attempting to deliver value for their organizations.
Now, it's all hands on deck for a cross-functional team of executives and engineers to develop a modern automated governance process that satisfies regulators without slowing the company's ability to meet customer demands and compete in the market.
In the vein of bestselling titles The Phoenix Project and The Unicorn Project, Investments Unlimited helps organizations radically rethink how they handle audit, compliance, and security for their software systems. By introducing concepts, tools, and ideas to reimagine governance, this book catalyzes a more humane way to enable high-velocity software delivery that inspires trust and is inherently more secure.
Today, IUI received notice from bank regulators concerning their unsatisfactory audit and compliance practices. If they failed to address the regulators' concerns within the year, the company could go up in smoke.
She didn't understand. How had her team let this happen? How had she let this happen?
Over the past several years, IUI had executed a digital transformation strategy following the business accelerating principles of Agile and DevOps. By any metric they had seemingly done things right. Feedback from customers was astounding and conversion rates for new accounts was growing faster than ever. But along the way IUIs manual governance process had become inundated with friction, frustration, and failure for the teams attempting to deliver value for their organizations.
Now, it's all hands on deck for a cross-functional team of executives and engineers to develop a modern automated governance process that satisfies regulators without slowing the company's ability to meet customer demands and compete in the market.
In the vein of bestselling titles The Phoenix Project and The Unicorn Project, Investments Unlimited helps organizations radically rethink how they handle audit, compliance, and security for their software systems. By introducing concepts, tools, and ideas to reimagine governance, this book catalyzes a more humane way to enable high-velocity software delivery that inspires trust and is inherently more secure.
148 pages, Kindle Edition
Published September 13, 2022
73 people are currently reading
334 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 24 of 24 reviews
November 1, 2022
Read this for what it is. Not a great novel, but a great resource to help you get to grips with Risk management in a DevOps environment. Yes, initially the story is a bit cringe worthy. I mean, how can you function in the financial world with this many things missing, was my initial thought. But look beyond that. It is just a frame used to explain what should and could be done. And almost every page has a footnote with a usuful reference. Either explaining terms, situations, examples from the real world, or giving you excellent hints how to solve problems.
On top of that it comes with a couple of very valuable appendices, giving you even more ideas. The company was one of the first to adopt DevOps in Europe, and I think we are doing reasonably ok with Risk Management as well. (well, I would say that, working in Risk Management myself) But no, it is not perfect. And Investments Unlimited gave me at least a couple of ideas to discuss with colleagues. And I am genuinely thinking about buying a couple of copies to hand out to management. Certainly that is something I did not expect!
On top of that it comes with a couple of very valuable appendices, giving you even more ideas. The company was one of the first to adopt DevOps in Europe, and I think we are doing reasonably ok with Risk Management as well. (well, I would say that, working in Risk Management myself) But no, it is not perfect. And Investments Unlimited gave me at least a couple of ideas to discuss with colleagues. And I am genuinely thinking about buying a couple of copies to hand out to management. Certainly that is something I did not expect!
September 13, 2022
There are countless books documenting the techniques and tooling of DevOps. Rather than a technical how-to, Investments Unlimited abstracts much of the nitty-gritty to tell the story of what a DevSecOps transformation might look like for the people and teams of an enterprise organization.
June 13, 2023
I enjoyed this book. It highlighted key security concepts. It is a good book for a mid or senior developer looking at the #sec in the devsecops paradigm.
October 7, 2022
This is a novel about DevSecOps that describes a company in the finance sector that bungles its compliance obligations, receiving an MRIA ("Matter Requiring Immediate Attention") a regulatory finding issued by the Federal Reserve. You don't want one of these. If you don't fix the problems identified in the MRIA, you may be forced out of business.
My bet is that this book would be a valuable read for people in the CIO's office and for engineering managers who are trying to develop a more automated approach to compliance. The book is published by IT Revolution, who brought us The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win. This novel (maybe more of a novella) isn't as compelling as Phoenix but you'll still learn a lot.
In the novel, Investments Unlimited receives an MRIA because they can provide little assurance that their in-house developed software has been reviewed for issues such as the way it depends on open source software (which may have vulnerabilities), and proof that code was reviewed. The story revolves around a team that attempts to address these issues by building a more automated software build pipeline, that uses tooling to provide assurance. In a compelling way, the book does not shy away from the technical limits the team experiences, and there is a nice twist in their approach to satisfying the MRIA that would be a spoiler if I described it.
That may sound a little dull, but if you're in the business of making software, a lot will resonate here. Generally the company Investments Unlimited is lucky because they are able to have conversations across functional areas. You may not be so lucky. It's interesting to see how ideas pop out. The two key players are down inside the leadership hierarchy (which is provocative all by itself: leadership is a bit absent here) -- Michelle, who is a Senior Staff Engineer, and Andrea, who reports to the Chief of Audit and Risk.
The book contains useful appendices on MRAs and MRIAs, Pipeline Design, a shortened version of the DevSecOps Manifesto, a brief outline of the idea of "shifting left" and its criticality to the whole DevSecOps enterprise, a note on SCA (Software Composition Analysis), and finally, a summary of Biden's Executive Order calling for improvement the USA's Cybersecurity.
All of these topics in the appendices are deepened by the story. So if you've wanted to understand the topics of these appendices in a narrative, this is the book for you.
My bet is that this book would be a valuable read for people in the CIO's office and for engineering managers who are trying to develop a more automated approach to compliance. The book is published by IT Revolution, who brought us The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win. This novel (maybe more of a novella) isn't as compelling as Phoenix but you'll still learn a lot.
In the novel, Investments Unlimited receives an MRIA because they can provide little assurance that their in-house developed software has been reviewed for issues such as the way it depends on open source software (which may have vulnerabilities), and proof that code was reviewed. The story revolves around a team that attempts to address these issues by building a more automated software build pipeline, that uses tooling to provide assurance. In a compelling way, the book does not shy away from the technical limits the team experiences, and there is a nice twist in their approach to satisfying the MRIA that would be a spoiler if I described it.
That may sound a little dull, but if you're in the business of making software, a lot will resonate here. Generally the company Investments Unlimited is lucky because they are able to have conversations across functional areas. You may not be so lucky. It's interesting to see how ideas pop out. The two key players are down inside the leadership hierarchy (which is provocative all by itself: leadership is a bit absent here) -- Michelle, who is a Senior Staff Engineer, and Andrea, who reports to the Chief of Audit and Risk.
The book contains useful appendices on MRAs and MRIAs, Pipeline Design, a shortened version of the DevSecOps Manifesto, a brief outline of the idea of "shifting left" and its criticality to the whole DevSecOps enterprise, a note on SCA (Software Composition Analysis), and finally, a summary of Biden's Executive Order calling for improvement the USA's Cybersecurity.
All of these topics in the appendices are deepened by the story. So if you've wanted to understand the topics of these appendices in a narrative, this is the book for you.
January 1, 2024
A succinct novel outlining the transformation of a small-sized US bank towards automatically enforceable controls and policies for applications it puts into production.
The following stood out as the most noteworthy to me:
* Software Composition Analysis (SCA). The importance of capturing the SBOMs of applications during their build and their subsequent periodic scanning for new vulnerabilities. Most organisations only carry out this analysis during build time, which (unless they release frequently) exposes them to attacks through newly published CVEs.
* SCA. The existence of standards for capturing SBOMs — CycloneDX and SPDX.
* SCA. The existence of OSS tooling for carrying out the above — OWASP’s Dependency Track
* 3 lines of defence. One of the most lucid explanations of the 3 lines model (which most modern banks use), with a clear summary of what each line of defence covers. E.g. that the 2nd line decides on controls and policies to put into place and ensuring the 1st line is executing within the established controls and policies. And that the 3rd line is the assurance mechanism. They don’t decide what controls to use or how to implement them. They are merely assessing it the risk management approach put in place by the second line is effective
* The existence of OSS policy engines that allow to codify controls and policies and then enforce them. E.g. the REGO language for writing policies and the Open Policy Agent (OPA) for enforcing them.
* One of the most easy to follow explanation of how the modern trunk-based development with pull requests and their subsequent merging into master work.
The authors deserve special accolades for marking the material accessible to non-techies.
The following stood out as the most noteworthy to me:
* Software Composition Analysis (SCA). The importance of capturing the SBOMs of applications during their build and their subsequent periodic scanning for new vulnerabilities. Most organisations only carry out this analysis during build time, which (unless they release frequently) exposes them to attacks through newly published CVEs.
* SCA. The existence of standards for capturing SBOMs — CycloneDX and SPDX.
* SCA. The existence of OSS tooling for carrying out the above — OWASP’s Dependency Track
* 3 lines of defence. One of the most lucid explanations of the 3 lines model (which most modern banks use), with a clear summary of what each line of defence covers. E.g. that the 2nd line decides on controls and policies to put into place and ensuring the 1st line is executing within the established controls and policies. And that the 3rd line is the assurance mechanism. They don’t decide what controls to use or how to implement them. They are merely assessing it the risk management approach put in place by the second line is effective
* The existence of OSS policy engines that allow to codify controls and policies and then enforce them. E.g. the REGO language for writing policies and the Open Policy Agent (OPA) for enforcing them.
* One of the most easy to follow explanation of how the modern trunk-based development with pull requests and their subsequent merging into master work.
The authors deserve special accolades for marking the material accessible to non-techies.
January 8, 2023
Since when starting to read it I was comparing it to "Phoenix Project" and "The Game" then expectations were high and thus it felt like a disappointment already after the first chapters. As a novel it's quite bad when looking at how basic and linear the plot is, the few setbacks were so mild that people who have dealt with complex problems and existential risks would not stress about them at all. So after the novel part fell away then I was trying to ignore the naivety and take it as just an educational book. From that aspect the book is an ode to DevSecOps and I did get some principal insights for better cooperation and synergy between Audit and Delivery teams (VS Audit being considered as overhead only and they sensing complete lack of interest and cooperation from technical teams).
DevSecOps manifesto: https://www.devsecops.org/
Shift-left testing to prevent issues from late testing.
Control tollgates for pipeline design:
• source code version control
• optimum branching strategy
• static analysis
• >80% code coverage
• vulnerability scan
• open-source scan
• artifact version control
• automated provisioning
• immutable servers
• integration testing
• performance testing
• build deploy testing
automated for every commit
• automated rollback
• automated change order
• zero downtime release
• feature toggle
DevSecOps manifesto: https://www.devsecops.org/
Shift-left testing to prevent issues from late testing.
Control tollgates for pipeline design:
• source code version control
• optimum branching strategy
• static analysis
• >80% code coverage
• vulnerability scan
• open-source scan
• artifact version control
• automated provisioning
• immutable servers
• integration testing
• performance testing
• build deploy testing
automated for every commit
• automated rollback
• automated change order
• zero downtime release
• feature toggle
February 18, 2025
Good bridge book for technology and business
As a fictionalized concepts book, this has many types of readers. For me, someone who is well versed with technology but needs to better understand the industry, it gives me a clearer picture of why certain technological choices may be made in different contexts. For a non-technical leader leading a technical business (and the book makes a case that all businesses are technology businesses), this book may be able to relate their domain specific challenges with technological solutions.
In any case, I can't really find a complaint with the book. The fictionalized setting is nothing to write about because that's not the point of this book. The technology references are useful and very generic. That's probably my complaint though: that the solutions described are so generic that it might give an impression that everything needs to be built within organizations whereas almost everything can be picked off-the-shelf.
It's a quick read and I would recommend you to read this if you're leading organizations.
As a fictionalized concepts book, this has many types of readers. For me, someone who is well versed with technology but needs to better understand the industry, it gives me a clearer picture of why certain technological choices may be made in different contexts. For a non-technical leader leading a technical business (and the book makes a case that all businesses are technology businesses), this book may be able to relate their domain specific challenges with technological solutions.
In any case, I can't really find a complaint with the book. The fictionalized setting is nothing to write about because that's not the point of this book. The technology references are useful and very generic. That's probably my complaint though: that the solutions described are so generic that it might give an impression that everything needs to be built within organizations whereas almost everything can be picked off-the-shelf.
It's a quick read and I would recommend you to read this if you're leading organizations.
September 27, 2022
Investments Unlimited, a spiritual successor of The Phoenix Project and The Unicorn Project introduces concepts, tools and ideas to reimagine governance.
The concepts are presented in a story in Investments Unlimited, a fictional financial institution that received notice from bank regulators concerning their unsatisfactory audit and compliance practices. With an interesting and relatable cast of characters we get to see what the team did in order to fix their process.
Although not required, I recommend reading The Phoenix Project and The Unicorn Project before this one, as it feels like a “spinoff” and doesn’t go that deep into DevOps as the previous two books did.
The concepts are presented in a story in Investments Unlimited, a fictional financial institution that received notice from bank regulators concerning their unsatisfactory audit and compliance practices. With an interesting and relatable cast of characters we get to see what the team did in order to fix their process.
Although not required, I recommend reading The Phoenix Project and The Unicorn Project before this one, as it feels like a “spinoff” and doesn’t go that deep into DevOps as the previous two books did.
October 4, 2022
An Engaging Read
I loved the format of this book! The authors did an excellent job of turning DevOps, Security, Audit, and Compliance topics into an engrossing story and one many of us can relate to. I also found the additional resources that are referenced throughout to be very helpful in diving deeper into related topics. I am a tech product manager and found this book very relevant to the types of challenges I encounter and the people I partner with to bring great products to market. Thanks for an awesome book!
I loved the format of this book! The authors did an excellent job of turning DevOps, Security, Audit, and Compliance topics into an engrossing story and one many of us can relate to. I also found the additional resources that are referenced throughout to be very helpful in diving deeper into related topics. I am a tech product manager and found this book very relevant to the types of challenges I encounter and the people I partner with to bring great products to market. Thanks for an awesome book!
December 10, 2022
another great fable along Phoenix project lines
The term DevSecOps shouldn’t be needed, though is a useful qualifier to the devops space. This book covers the devops mindset but focuses in on governance, risk, compliance and security - essential drivers in any regulated space. It uses a similar 3 ways mantra but amplifies elements such as shift left etc
A useful read, though hugely amplified by the links to additional resources throughout give great grounds for additional deeper diving.
The term DevSecOps shouldn’t be needed, though is a useful qualifier to the devops space. This book covers the devops mindset but focuses in on governance, risk, compliance and security - essential drivers in any regulated space. It uses a similar 3 ways mantra but amplifies elements such as shift left etc
A useful read, though hugely amplified by the links to additional resources throughout give great grounds for additional deeper diving.
December 19, 2022
I read this for a work book club and ended up bingeing it!
I loved this book. I think organizations looking to make DevSecOps transformations should buy copies of this book for everyone. It reads a lot like Phoenix Project but incorporates many of the Sec components in DevSecOps that were originally missing from that volume, and in about 1/3 of the pages.
It perfectly maps the types of personae you could expect to see, from the promoters to the detractors. The book also walks you through the changes that an organization would have to implement in order to safely and rapidly deploy their applications.
I loved this book. I think organizations looking to make DevSecOps transformations should buy copies of this book for everyone. It reads a lot like Phoenix Project but incorporates many of the Sec components in DevSecOps that were originally missing from that volume, and in about 1/3 of the pages.
It perfectly maps the types of personae you could expect to see, from the promoters to the detractors. The book also walks you through the changes that an organization would have to implement in order to safely and rapidly deploy their applications.
February 20, 2024
One of the better books in this style I've read. My only real issue with it was that it required more technical knowledge than I was comfortable with. If you're a developer, then it's probably not an issue, but it's not really something for a non-developer to read. It adopts a good step-by-step but non-linear approach to understanding and addressing the problem, and it's presented very clearly.
October 1, 2022
Yet another brilliant narrative driven story of a company facing challenging conditions with regulators and auditors got on their trail. Easy read and compelling story. Must read for any role or level, not just technologists.
November 7, 2022
Not as strong as The Phoenix Project, but still a great business novel about a really important topic. Treating security, compliance, and governance as infrastructure and code is a great way to reduce toil and stay aligned with regulations and auditors.
November 7, 2022
Excellent ideas for automated governance. Story line had numerous flaws. E.g., Company existence at stake but only one small team assigned problem? Many others. Not recommended for non SW engineers.
November 27, 2022
A very fast read in the style of The Phoenix Project and The Unicorn Project, though with more focused content and less flavor text. The focus is on software supply chain security and shifting audit controls left. No eureka moments for me since I'm already a full convert, but also no complaints.
May 31, 2023
An interesting way to explore technology and operational resilience. As a regulator it was a fascinating insight into how firms could react and what both good & poor practices look like. Helpful to consider how to drive better outcomes in firms I regulate.
February 1, 2025
great IT novel on including audit and security
Great addition to the Phoenix story.
The story has a number of hit and misses but in the end does a decent job on showing audit should not be avoided or ignored. It should be a function that helps the business do better.
Great addition to the Phoenix story.
The story has a number of hit and misses but in the end does a decent job on showing audit should not be avoided or ignored. It should be a function that helps the business do better.
November 20, 2022
Came to me as a recommendation. Decent novel, yet not comparable as Phoenix project.
Still puzzzled by the title of the book.
Still puzzzled by the title of the book.
January 18, 2023
Not a great novel. Not a good resource of technology insights if you're already into DevSecOps. Good introduction and motivational read for upper management.
June 2, 2023
Nice story and some great ideas I want to try out immediately after vacation ;-)
July 25, 2023
A little cheesy but explains concepts well.
July 15, 2024
This is basically a follow-on to The Phoenix Project, adding security & compliance to the mix. I picked up the book at a DevOps Days conference last year, and now I happen to be working directly in that space, so it was a good fit. One where I'd set aside the book for a few minutes after reading a paragraph to think through what it might mean for me and my team.
Investments Unlimited is a novel meant to teach. We follow employees at a fictional, heavily-regulated company as they work to comply with those regulations and prove that they have done so. They rely on automating security & compliance checks, building tooling to surface status, and working collaboratively with people from other parts of the business (namely, security & audit) to solve their problems.
The story is a little hokey, but the point was to present the information in a way that's interesting, and I think authors (the _nine_ authors!) accomplished that goal. I wound up with a bunch of notes I'll be taking back to my team, and I will also offer to buy all of them a copy of the book to read to get everyone thinking about this. It's a short read, too, which makes it approachable.
Investments Unlimited is a novel meant to teach. We follow employees at a fictional, heavily-regulated company as they work to comply with those regulations and prove that they have done so. They rely on automating security & compliance checks, building tooling to surface status, and working collaboratively with people from other parts of the business (namely, security & audit) to solve their problems.
The story is a little hokey, but the point was to present the information in a way that's interesting, and I think authors (the _nine_ authors!) accomplished that goal. I wound up with a bunch of notes I'll be taking back to my team, and I will also offer to buy all of them a copy of the book to read to get everyone thinking about this. It's a short read, too, which makes it approachable.
October 22, 2023
A decent narrative on why DevSecOps matters
If you want to know what shifting left means in a complex IT landscape using modern DevOps practices and security tools, this book may be for you.
If you want to know what shifting left means in a complex IT landscape using modern DevOps practices and security tools, this book may be for you.
Displaying 1 - 24 of 24 reviews