Presented at Executive Leaders Network CMO/DPO/CIO/CISO Event on October 06th.
"How Haleon have established a software-defined lifecycle that decreases the effort required for build and integration. Making new features, bug fixes, experiments, configuration changes always ready for deployment to a production environment."
3. Merger of GSK & Pfizer Consumer Healthcare Divisions
FTSE 100 Firm
Largest Consumer Healthcare Company In The World
21,000 Employees
4. 4
Start Up
► Fast-paced
► Creativity & communication are valued
► Capable of acting rapidly to adjust business practices and hit shifting goals.
Big Corporate
► Concrete procedures, protocols, and guidelines that govern daily operations
► Slow paced
► Lack innovation
► Silos
► Greater risk of reputational damage as a result of cyber threats
Big Corporate Vs Startup
5. 5
“Be as lean as a startup whilst ensuring we are
delivering software in a secure and maintainable
way.”
Our aim
8. 8
1. Slack – ‘Shared Invite Link’ - user’s hashed password was being sent
2. Amazon Ring Doorbell – Safety threat alert - Exposing the precise locations and
home addresses of users who had posted to the app.
3. Parkmobile - 21 million users (Data breach)
4. Apple iMessage - 900 million users (Data breach) - The flaw was exploited to
access a target's device
5. Klarna Payment App – View other accounts
Major Breaches 2021
9. Modern Security Threats –
Javascript Command Injection
9
► Some apps, like Instagram and Facebook, inject JavaScript
code into third party websites that cause potential security
and privacy risks to the user.
► Felix Krause, a privacy researcher and former Google
engineer, has found through research that the TikTok web
browser comprises of built-in functionality to track users’
online habits.
► Thus, a user can have serious consequences due to
the TikTok monitoring, which can leak out precious
information like credit card numbers and passwords.
10. 10
► Safari blocks third party cookies by default
► Google Chrome is soon phasing out third party
cookies
► Firefox just announced Total Cookie Protection
by default to prevent any cross-page tracking
► Apple actively works against cross-host tracking
► As of iOS 14.5 App Tracking Transparency puts
the user in control: Apps need to get the user's
permission before tracking their data across
apps owned by other companies.
Privacy Matters
12. Be Honest With Your Users About How You Use
Their Data.
They’ll Love You For It.
13. Automate, Integrate & Monitor
13
► Automate - Less manual work, the less room for error. If security
processes are automated and integrated, nobody can, for example,
forget about scanning a web application before it is published.
► Integrate - If security is integrated into the software development
lifecycle (SDLC), issues can be found and eliminated much earlier. This
saves a lot of time and makes remediation much easier.
► Tooling - If security tools work together with other solutions used in
software development, such as issue trackers, security issues can be
treated the same as any other issue. Engineers and managers don’t
lose time learning and using separate tools for security purposes.
► Logging & Monitoring - Logging and monitoring will help you to identify
patterns of activity on your networks, which in turn provide indicators
of compromise.
16. 16
2015
• Hertz launches major
technology upgrade
program
• Five core platforms: Digital,
CRM, fleet management &
fleet accounting,
reservations & rentals
• Expected cost $400m
2016
• Hertz engages a well-known IT consultancy
firm as well as others to redefine CX for its
market leading brands
• The IT consultancy firm is selected based
on claim of world class expertise in
website and mobile application
development
• Phase 1: ”Solution blueprint” costs $7m
2017
• Hertz hires a new CEO that
promises “modern e-
commerce platform by end
of 2017”
• IT consultancy firm is
selected based on claim of
world class expertise in
website and mobile
application development
2018
•CEO Resigns
•IT consultancy removed
from the project.
•Hertz claims to have spent
an additional $10M in fees
to correct work
Hertz - The $32m Website That Never Went Live
17. 17
► No responsive design
► No common core
► Vulnerable code
► No experience with used technologies
► No testing and documentation
2019 - Hertz sues the IT consultancy firm - What went wrong?
18. 18
► IT consultancy said they had the best talent in the world and would provide their best team from the start.
► IT consultancy had the right under the contract to determine all staffing, including to replace staff at will,
with no agreement as to the minimum levels of experience of any particular staff member.
► This was not a fixed-price contract and instead, the IT consultancy was paid on a time-and-materials basis.
Therefore, there are no circumstances under which a request for payment would be considered
“extortionate.”
► The consulting services agreement signed in 2004 between the companies barred the firm from being liable
“for any consequential, incidental, indirect, special or punitive damage, loss or expense (including but not
limited to business interruption, lost business, lost profits, or lost savings).”
► In a nutshell: Responsibility for the project — including responsibility for it failing — always rests ultimately
with the buyer.
How Hertz Could Have Done Things Differently
19. 19
“If you're competitor-focused, you have to wait until there is a
competitor doing something. Being customer-focused allows you to be
more pioneering.” - Jeff Bezos, Founder of Amazon
20. 20
1. Nimbleness - It is a strategic advantage that increases the agility of a company.
2. Advantage - If you let someone else develop your software then you risk giving that advantage to your
competition.
3. Domain Knowledge - Developing software requires a thorough understanding of the domain you are
addressing. When the development is over why would you let that knowledge walk out the door and have to
invest in the next developer all over again?
4. Long Term Thinking - In house developers have an allegiance to the company they work for and the
decisions they make will more likely support the company and its needs because they must take
responsibility after the project is over as well as maintain any mess they leave behind.
5. Conflict of Interest - Outsourcing is inherently short sighted, geared toward addressing the “stated”
requirement in a manner that provides the most profit. An outsourcer is guaranteed more business if they
purposely ignore long term issues and resist being proactive.
6. Culture - Inhouse developers elevate a company’s culture because they work closely with their customers
hour to hour. This results in better community awareness and cross training that cannot be achieved with
outsourced coders.
7. Feedback Loop - The communications feedback loop is immediate with an inhouse developer and far
preferred to telephone tag. This increases response and avoids issues falling through the cracks.
Building An Engineering Capability
21. 21
► 5 APIs
► Patient IOS App
► Pharmacist Progressive WebApp
► Infrastructure Deployment
► Released to the Italian market
What Was Achieved in 12 Weeks
22. One Programming Language
22
1. Only language understood by a Web Browser
2. Tech companies investing heavily in JavaScript
3. Could be used for X-Platform Mobile Applications
4. Automate manual processes across your organization
5. Massive online community
6. Most commonly used language over the last 10 years
7. Powerful and Fast
23. Atlas Search is an embedded full-text search
in MongoDB Atlas that gives you a seamless,
scalable experience for building relevance-based app
features.
Atlas Search eliminates the need to run a separate
search system alongside your database.
Developers deliver search features 50% faster
MongoDB Atlas
Make Smart Technology Choices
24. MongoDB Atlas
Out Of The Box Security
Role based
access control
Data
encryption
Limit
connections
Audit logs
Predefined roles. Roles can be
customised to meet the needs
of a team
Encryption makes your data
unreadable by those that do
not have the key to decrypt
it.
Audit trails show who made
changes to the configuration of
the database and what those
changes were.
By limiting remote
connections to the database,
you reduce the risk of
intruders accessing your data
25. 25
► Business Demand (The What) should be owned by product teams in alignment with the
Enterprise Architecture Framework
► Engineering ‘disciplines’ have been grouped into ‘Chapters’.
► Each chapter has a lead who will co-ordinate the definition of patterns, principles and
standards for each technical competency.
► The Technical ‘How’ we deliver should be driven from the Chapter Leads.
► All engineers should be aligned to a chapter and take direction from the chapter lead.
Engineering Principles
27. 27
Benefits of the Chapter Model
⎻ What is a Chapter
► A chapter is a group of colleagues in the same functional
discipline across teams
► Defines ‘how’ to deliver within the frame of that discipline
⎻ Why?
► Expertise development within the domain
► Lean resource planning
► Cross functional learning and continuous improvement
► World-class engineering performance management
► Connections with broader engineering disciplines eg
platform, architecture, cloud strategy
► Talent attraction and retention, and longer term career paths
29. 29
Modular Digital Services
Plug & Play
Developing internal SaaS
capabilities
Extendible APIs for use across
the organization
Achieved standardisation
Eliminates duplication
Allow modifications through
InnerSource
30. 30
► Concrete procedure &
protocols
► Slow paced & Silos
► Cyber threats
► innovation
In Conclusion
Align and evolve through chapter model
Fixed through cross functional
collaboration and reusability of Modular
Digital Services
Fixed with automation, integration and
monitoring
Fixed with smart technology choices