As we move into DevOps and the IoT, I start to get worried that we are moving into unnecessarily exciting times - partly because early adopters like taking risks and riding up on a white horse to firefight problems at 03:00 in the morning
But I'm old and I don't like surprises and I do like sleeping at night - I need to trust the automated business systems I use. I live on adrenaline too sometimes, but I hate fixing preventable problems, I hate being involved with avoidable cockups - and I really hate the idea of getting a criminal record because, say, I mess up handling data privacy.
So, I like "just enough" governance, as I said in a Winmark workshop here. I think that if you live in a well-governed environment where you can measure risk, and determine scope of impact reliably, you can take more risks - because you can effectively manage any risks that you take. Taking well-understood risks, with a known scope of impact, is part of being Agile - with no surprises - and gives you a real edge over your competition.
In the face of constant surprises, "Agility" rapidly gets delivered in name only, because everyone spends so much time dealing with the surprises - in other words, with production contingencies with significant business impact - that no-one has time to be truly agile. And, of course, not knowing what surprises may result, soon discourages you from doing anything that might be risky. As (with a different hat on to my Bloor one) I work on the BCS CMSG 2015 conference, I'm reminded of how much good configuration management - a fundamental enabler for "just enough" governance - makes pushing the boundaries less stressful. It's why I think I'd rather work with Perforce than basic Git, for example - although fellow members of the CMSG have convinced me that there's nothing wrong with Git, say, if you put the right sort of management tools around it (including, for example, Perforce).
So I was quite excited when Kevin Parker (VP Worldwide Marketing, Serena Software, a vendor I've been following for some time) dropped a paper in front of me called "Move Fast Without Breaking Things" - because that is exactly what we all have to do. In fact, many of Serena's customers come from highly regulated industries and thus have it even worse than most of us.
Speed, done safely, seems to be Serena's current focus - according to Kevin's blog. The paper, available here, is a good read, although I think it is pity that it also includes Serena marketing material and, personally, I'd have made it two papers. It is best, I think, if you read and digest the first part, before getting into Serena's solutions. There's nothing wrong with Serena's products, and the paper's coverage of them is interesting, but I'm always happiest making sure that I'm fully confident with the business-level, technology-neutral, issues before I try to match my needs to whatever a vendor is offering.
Anyway, in the paper, Greg Hughes (CEO of Serena Software) looks at some of the software development risks around:
- Intellectual property
- Customer reputation and goodwill
- Legal and regulatory standing
- Financial capital
This is in the context of Agile development; parallel team development; continuous integration; continuous delivery, with collaboration of all stakeholders around a deployment pipeline into production; Lean, which is largely avoidance of waste; and, of course, DevOps.
He goes into the security and compliance risks, which I fear are often overlooked in the midst of Agile enthusiasm, and suggests what I'd call "good practice" measures to address them. Greg actually talks of "best" practice, but I don't like the feeling of optimisation attached to the term "best").
Most importantly, he recognises that "velocity" is important even in highly regulated industries, these days. That's good, of course, but balancing "velocity and "just enough governance" is important to the rest of us too.