by Snehal Antani

Security, availability, and compliance — by design

Feb 12, 2016
ComplianceCTOIT Leadership

Build the technology, processes, and culture to enable enterprises to move like startups

Our enterprise IT environments are complex and made up of many moving parts, including outsourced employees and legacy processes that slow us down. Complexity is dangerous for several reasons.

First, complexity leads to fragile systems that distract senior experts with constant fire drills. Second, complexity leads to blind spots that can be exploited by hackers. Finally, the maintenance costs grow out of control, and there is little money left for commercial innovation.

Smaller, more agile companies are now disrupting industries that were once immune to disruption. Many enterprises are on an unsustainable trajectory and must transform. Embracing the philosophy of security, availability, and compliance by design can help institute the technology foundation, processes, and culture that enable companies to have the resources of an enterprise with the agility of a startup.

What does it mean to have security, availability, and compliance by design? First, create the IT foundation with hybrid cloud, continuous delivery, continuous insights in order to become a programmable enterprise. Then we foster a culture of continuous improvement. Finally, we organizationally realign to ensure our teams are more focused and empowered. These KPIs measure progress and effectively communicate the benefits to business stakeholders:

  • Development velocity — the speed at which new functionality is delivered to customers.
  • Failed Customer Interactions — the number of negative experiences our customers have with our digital products and services. This replaces the antiquated, hardware-centric “how many 9s available is the system” metric, which makes no sense to the business.
  • Compliance Response Time — the time it takes to produce qualitative and quantitative evidence to auditors that we are adhering to our policies and standards.

 There are a number of principles that help optimize these KPIs:

 Keep it simple. Reduce the number of moving parts in the solution. Fewer moving parts will lead to a simpler, more stable environment. By eliminating manual steps with automation and reducing the number of handoffs between teams, you can deliver systems with speed, consistency, and repeatability. Moreover, patching and upgrading systems becomes much easier, which helps to reduce vulnerabilities and instability in the system.

Get out of the IT integration business. When I was a CIO, 60 percent of the cost of my IT projects was spent on getting the plumbing to work: installing, configuring, and connecting application servers with ESBs, etc. For my big data projects, nearly 80 percent of the cost was getting Hadoop and other services stood up. That spend provided no sustainable differentiation to the business. Moreover, every virtual machine was a snowflake, unique in some way, which made it difficult to stabilize or secure. Standardizing and automating the delivery of systems helps get you out of the IT integration business, and allows you to focus engineering resources on delivering higher value business outcomes.

Shift left. Find problems earlier in the software development lifecycle. Don’t wait until the end of the release to realize there are performance problems, security vulnerabilities, and stability issues. When developers check their code in, you should run automated whitebox (static security scans, Sonar blockers, etc.) and blackbox checks (dynamic security scans, “chaos monkey” tests, etc.) and catch problems immediately.

Architecture as code. The role of EA (enterprise architecture) must evolve within an organization to achieve security, compliance, and resilience by design. EA can no longer be ivory tower “PowerPoint machines.” EAs need to define policies and standards as code: runnable application templates, deployment automation, and automated verification. The CISO and Chief Enterprise Architect are converging, and the architecture team must be held accountable for the security, compliance, and resilience of their designs. Holding EA accountable with some operational responsibilities is an incredibly powerful organizational concept that can extend to include reliability engineering and compliance.

Transparency leads to continuous improvement. By instrumenting every step in the software development process, every deployed virtual machine, and key application components you can get a real-time insights on exactly what’s happening in your environment. Moreover, the rhythm and cadence of the organization transforms. Now, you’re no longer making decisions on last months data, you’re running the organization in real-time.

 With real-time insights you can determine which developers are struggling to write secure code, performance code, or resilient code, and build customized training programs to improve their skills.

Because you know exactly how secure, stable, and compliant your software and systems are, you can shift to a deploy-when-ready strategy versus a deploy-to-a-date strategy.  You can also proactively determine a customer is having a negative experience with your digital products and services, and actually do something about.

Security, compliance, and availability by design is achievable. These principles, the many lessons learned from organizations driving change, and the incredible pace of emerging technologies can help you get there. The question to ask yourself is this: What does it take to improve development velocity, reduce the number of failed customer interactions, and reduce compliance response time by 10x in your organization? Consider answering those questions to be your North Star, your aspirational vision, and engage your leaders to help you define the pragmatic journey to get there.