Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IT Software Risk: Don't Hesitate - Automate

56 views

Published on

David Norton, CISQ Executive Director, discusses factors driving IT automation, cultural and behavioral drivers to introduce more automation into software development and the role that standards play.

Published in: Software
  • Be the first to comment

  • Be the first to like this

IT Software Risk: Don't Hesitate - Automate

  1. 1. IT Software Risk: Don’t Hesitate - Automate Dave Norton Executive Director Consortium for IT Software Quality david.norton@it-cisq.org
  2. 2. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 2 Two Basic Truths Things are more complex and the pace of change is relentless
  3. 3. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 3 Agenda • What are the drivers for automation • How do we introduce more automation • What role do standards play
  4. 4. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 4 Agenda • What are the drivers for automation • How do we introduce more automation • What role do standards play
  5. 5. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 5 Complex Technology Stack Multi-language,multi-layerArchitecture EJB PL/SQL Oracle SQL Server DB2 T/SQL Hibernate Spring Struts .NET COBOL IMS Messaging Sybase • Code style & layout • Expression complexity • Code documentation • Class or program design • Basic coding standards • Developer level Unit Level1 Technology Stack Java Java Java Web Services • Single language/technology layer • Intra-technology architecture • Intra-layer dependencies • Inter-program invocation • Security vulnerabilities • Development team level Technology Level2  Integration quality  Architectural compliance  Risk propagation  Application security  Resiliency checks  Transaction integrity  Function point,  Effort estimation  Data access control  SDK versioning  Calibration across technologies  IT organization level System Level3 JSP ASP.NETAPIs
  6. 6. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 6 Drive for Velocity Everyone wants faster time to market, but few want to hear about the risks
  7. 7. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 7 Complex Toolchains •Production metrics, objects and feedback •Requirements •Business metrics •Update release metrics •Release plan, timing and business case •Security policy and requirement •Design of the software and configuration •Coding including code quality and performance •Software build and build performance •Release candidate •Acceptance testing •Regression testing •Security and vulnerability analysis •Performance •Configuration testing •Approval/preapprovals •Package configuration •Triggered releases •Release staging and holding •Infrastructure storage, database and network provisioning and configuring •Application provision and configuration. •Performance of IT infrastructure •End-user response and experience •Production metrics and statistics •Application monitoring
  8. 8. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 8 Increasing Technical Debt Software Quality Iceberg (Code Complete, Steve McConnell) Code complexity Maintainability Internal Coupling Functional Size Redundant code Testability External Coupling Operating Cost Maintenance Cost Reliability Performance Business Value
  9. 9. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 9 Questions on Productivity
  10. 10. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 10 Desire for Autonomy Autonomy at Spotify —  by Henrik Kniberg
  11. 11. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 11 Greater Reliance on Suppliers Hope is not a strategy Quality Productivity Security Cost
  12. 12. © 2018 Consortium for IT Software Quality (CISQ) www.it-cisq.org 12 The Nine-Digit Glitch Board of Directors CEO, COO, CFO Business VPs Corporate Auditors CIO Now affect Accountable for Governance Risk management Business Continuity Brand protection Customer experience Nine Digit Defects
  13. 13. © 2018 Consortium for IT Software Quality (CISQ) www.it-cisq.org 13 Lets Learn From The Past As industry's mature they automate, from robots to fly-by-wire
  14. 14. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 14 Agenda • What are the drivers for automation • How do we introduce more automation • What role do standards play
  15. 15. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 15 Focus on Culture and Behavior • Don’t expect everyone to like automation, some people just like doing it the hard way • Incentivize the behavior you want for the individual and team. • Have agreed metrics and KPI linked to automation. • Show results
  16. 16. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 16 Develop The Correct Skills Process Design Scripting Toolchain Integration Standards Definition
  17. 17. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 17 Obtain Commitment From The Team Produc t Backlo g Risk Backlo g [Requirements, Policy's, Definition of Done] Compliance Officer Team Product Owner Product Manager GRC Stores/Themes Compliance Strategy [Working software, documentation] Risk Log / Board Escalations GRC Questions Information “Radiator” Standards, Good Practice, Regulations
  18. 18. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 18 Certify The Environment, Don’t Assume Produc t Backlo g Risk Backlo g [Requirements, Policy's, Definition of Done] Compliance Officer Team Product Owner Product Manager GRC Stores/Themes Compliance Strategy [Working software, documentation] Risk Log / Board Escalations GRC Questions Information “Radiator” Standards, Good Practice, Regulations Automated Environment Certified Tool Team Align
  19. 19. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 19 Gamify - Link Automation to Autonomy Autonomy Time of Deployments Intra-day allowed After hours and on weekends Frequency of Deployments No limits on changes per today Few changes per week Change Advisory Board CAB for information purposes only CAB for all changes Freeze Periods Only exceptional change freeze periods apply All freeze periods apply Continuous Integration Environments Quality Assurance Incident Management Release Management Coding Practices Team A Team C Team D Level of Automation Team B
  20. 20. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 20 Stay in Control With Agile Governance • Communities of Practice • Toolchain Consistency • Tools Register • Automation Best Practice
  21. 21. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 21 Link Automation to KPI, and Set Targets • Feature throughput • Lead-time/Cycle-time • IT Downtime • Business Downtime • Percentage of task automated • Refactoring rate and cost
  22. 22. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 22 Embed Automation With Suppliers CISQ has been referenced by the U.S. General Services Administration (GSA), formally citing CISQ requirements in a Information Technology (IT) statement of work from the Office of the CIO for the Office of Public Buildings. GSA is an independent agency of the U.S. government that supports general services of Federal agencies. See page 21, section 5.9 in GSA’s document, Schedule 70 Blank Purchase Agreement for IT and Development Services… “PB-ITS (Project Based IT Services) is seeking to establish code quality standards for its existing code base, as well as new development tasks. As an emerging standard, PB-ITS references the Consortium for IT Software Quality (CISQ) for guidance on how to measure, evaluate and improve software.”
  23. 23. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 23 Focus on Outcomes Business Outcomes Higher Productivity Grater Agility Improves Quality Reduces Risk
  24. 24. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 24 Agenda • What are the drivers for automation • How do we introduce more automation • What role do standards play
  25. 25. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 25 We Need Standards We Can Implement We built this city, we built this city on rock an' roll
  26. 26. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 26 We Need Standards We Can Implement We built this city, we built this city on rock an' roll
  27. 27. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 27 ISO 25010 Software Quality Model 1.Functional Suitability 2.Performance Efficiency 3.Compatibility 4.Usability 5.Reliability 6.Security 7.Maintainability 8.Portability
  28. 28. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 28 Standards Are Only Effective If Implemented We have to deal with the risk link - people.
  29. 29. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 29 Trustworthy Systems Manifesto As a greater portion of mission, business, and safety critical functionality is committed to software-intensive systems, these systems become one of, if not the largest source of risk to enterprises and their customers. Since corporate executives are ultimately responsible for managing this risk, we establish the following principles to govern system development and deployment. 1. Engineering discipline in product and process 2. Quality assurance to risk tolerance thresholds 3. Traceable properties of system components 4. Proactive defense of the system and its data 5. Resilient and safe operations
  30. 30. © 2019 Consortium for IT Software Quality (CISQ) www.it-cisq.org 30 CISQ Membership Is Free  www.it-cisq.org Over 2000 individual members from large software-intensive organizations:

×