Skip to content

August 31, 2022

Investments Unlimited (Excerpt Part 3)

By IT Revolution

In the vein of bestselling titles The Phoenix Project and The Unicorn ProjectInvestments Unlimited will help organizations radically rethink how they handle audit, compliance, and security for their software systems. By introducing concepts, tools, and ideas to reimagine governance, this book will catalyze a more humane way to enable high-velocity software delivery that inspires trust and is inherently more secure. Read Part 1 and Part 2 of our exclusive excerpt.


Michelle and Bill showed up to the office the next day at their usual time. Bill wandered over to Michelle’s cube around 9:30 am.

“Morning, Bill,” Michelle said.

“Good morning to you as well. So, do you have a recommendation for where we start?”

“Yes, yes I do. I combed through all of my emails and previous research last night. I moved it all to a new folder on the shared drive called ‘MRIA Madness.’ More of an ode to March Madness; less about our own madness.”

Bill chuckled a bit. He thought the title was witty.

“First thing I’ll do today is speak again with each of the people I’ve talked with to generate this research. I started a document called 1 – MRIA Outline. I added the ‘1’ to it so it’s the first document when you open the share drive.”

“Good call,” Bill replied.

“I’ll summarize my findings in this document and link to any other relevant information. My approach is to start with Risk and Audit. I want to trace the process starting with us stating ‘this is what we do.’ I’ve decided to give a single word to these ‘things we do.’ I’m calling them promises. ‘This is what we do’ is a promise we are making to regulators and customers and to each other.”

“That’s actually brilliant, Michelle,” Bill replied. “Putting my Product hat on, that would be a good way to market any change management we need behind this. Controls are very sterile, but promises—well, no one wants to break a promise.”

Michelle smiled, recognizing the compliment. “Sure. Thanks, Bill,” she said. “After I find all these promises, I’m going to trace each one to some type of implementation. We need to see how we commit to keeping these promises we make. It’s basic, but it’s a start. I don’t want to over complicate the discovery process. What do you think of the approach?”

“Ship it,” Bill replied. “How about you and I meet up at 3:00 pm every day? I’ll set aside two hours to analyze your info and help compile the outline. Does that work for you?”

“Sure, works for me!”

This first day seemed to be the longest and shortest day at the same time. Michelle spent every minute hopping around the office. No one was outside her scope of calendar invites and office drop-ins. She was pleased to find that many of the people she talked to were more than willing to help.

During it all, she realized a very important aspect of humanity. People love to talk about themselves, especially when someone is listening to them moan about a problem. Even though Michelle was still fairly junior in her career, she had a natural knack for facilitating unstructured conversation.

For one meeting, Bill joined. He was impressed with how she led the conversation with empathy. She often said things like “I know what you mean. I felt the same way,” or “I can see how that was difficult for you.” Bill on the other hand was visibly annoyed by some of their criticisms, demeanor, and complaints. He was able to keep his mouth shut, but his blood was boiling on the inside.

Michelle noticed. She smiled and thought to herself, For a person who’s mostly listening in, Bill sure looks like he wants to share a few choice words with people. Michelle took a different approach, however. She found endearing ways to cut through the complaining and self-centered attitude of many people. As a result, she was able to elicit facts.

Three o’clock in the afternoon came quickly. It seemed to creep up on Michelle like a bad guy in a horror film. She arrived at Bill’s office. It wasn’t much, really. It was like all the other offices at IUI. It was situated on the outside wall of the floor with windows on two walls and the standard, sterile, corporate-painted sheetrock for the other two walls. There was a tidy desk and a small conference table in the room. It looked like a great spot to work until she realized how hot the office was with the afternoon sun beating down on them through the windows.

Michelle and Bill reviewed all the interviews from that day. It was clear that they had uncovered two big pieces of information. First, they had documented the use of over twenty-four systems, spreadsheets, and documents used to capture the “things we say we are going to do.” Second, their list of interviewees had grown exponentially.

“I know we’ve grown, but wow, you don’t realize how big a small company can get until you try to talk to almost every employee,” Bill said.

“I have no clue what it was like here before, when you old-timers had to walk to work, uphill, both ways, in the snow,” Michelle joked. “But yes, we are big. I’ve now met folks who have worked here longer than I have but I can’t recall ever seeing their faces before.”

“Well, with all that aside,” Bill continued, “I think we can start the document.”

Sitting next to Bill at his office conference table, Michelle opened up her MRIA Outline document and typed the following:

MRIA

Finding/Concern

  • Inconsistent process, ineffective in ensuring security and compliance, resulting in unauthorized and vulnerable software with significant number of defects being released to production.

Current State – Promises (aka “Controls”)

  • Documented software release process
  • Documented software testing process
  • [Continue here tomorrow]

“Well, that summarizes everything. Although that just seems like too few words for all the jibber-jabbing, complaining, and real facts we uncovered today,” Bill said.

“It’s late and I’m too tired to think about how to include anything else. We have copious notes. If we need to, we can always go back to them,” Michelle responded.

“Touché, touché,” Bill said.

Michelle saved her document and then closed her laptop. It was a couple minutes past five, and she had to get going. Her babysitter got cranky if she had to watch Michelle’s twins later than six o’clock.

“I need to leave. I’ve had enough for the day. Let’s pick this back up tomorrow,” Michelle suggested.

“Agreed,” Bill responded.

Michelle walked back to her cube, grabbed her belongings, and started toward the parking garage. She passed many of the people she’d spoken with earlier. Tossing each one of them a soft smile, she couldn’t help but wonder to herself, IUI has smart and driven people. How could so many things go wrong at a place like this?


The next few days seemed to fly by. Michelle put on her best Sherlock Holmes, with Bill acting as her Dr. Watson. It seemed like there wasn’t anyone she didn’t speak with. Michelle would have set a meeting with the janitorial staff if she’d thought they had useful insights into how IUI kept promises to external auditors and customers.

Sometimes, it seemed like Michelle’s and Bill’s back-to-back meetings resembled a cheesy ’90s rom-com montage of the first year of a relationship, where everyone is getting along. Everyone is agreeable, energetic, and open. Other times, it resembled one of those serious montages of time spent on computers, debating one another, and burning the midnight oil.

By Tuesday afternoon, the MRIA Outline document had grown substantially.

MRIA

Finding/Concern

  • Inconsistent process, ineffective in ensuring security and compliance, resulting in unauthorized and vulnerable software with significant number of defects being released to production.

Current State

  • Promises (aka “Controls”)
    • Documented software release process – Not documented
    • Documented software testing process – Somewhat documented, teams do things differently
  • MRAs
    • Insufficient Response – 4
    • Not Responded To – 11
  • Main Systems for Process and Documentation
    • Risk – GRC System
    • Security – Knowledge Mgt. Module
    • Server Mgt. System – CMDB
    • Product – Ticketing System
    • Engineering – Git Repo
    • Other Systems
      • Outside of the four main systems, there are 38 other “systems” that consist of community documents and wiki pages but mostly spreadsheets stored all over the company, sometimes on personal computers.
      • See “Appendix – Spreadsheets & Informal Systems” for detailed information and system owners.
  • Actionable Items
    • Based upon the MRAs issued, the following items should be addressed with formal, standardized approaches:
      • Goal: Define a minimally acceptable release approach.
      • Objectives
        • Enforce peer reviews of code that is pushed to a production environment.
        • Identify and enforce minimum quality gates.
        • Remove all elevated access to all production environments for everyone.

“It’s amazing what happens when you can focus and finish a task, even on a seemingly tight deadline,” Bill said.

“I think we talked to everyone,” Michelle replied.

“Yes, we did. Everyone, their mother, and their grandparents.” Bill studied the document on Michelle’s laptop. “This is a solid summary. It’s on point for Tim and Carol’s request. I think it sets the stage for next actions and solutioning. What do you think?”

“Of course I’m good with it! Condensing all of this information was painful. I feel like there’s so much more to say,” she replied.

“This isn’t really any different than identifying features for a product. Think of all those folks as customers and what we did as requirements analysis,” Bill said.

“Oh, that makes sense,” said Michelle.


Read more in the upcoming book Investments Unlimited: A Novel about DevOps, Security, Audit Compliance, and Thriving in the Digital Age by Helen Beal, Bill Bensing, Jason Cox, Michael Edenzon, Tapabrata Pal, Caleb Queern, John Rzeszotarski, Andres Vega, and John Willis. Coming to a book store near you September 13, 2022.

- About The Authors
Avatar photo

IT Revolution

Trusted by technology leaders worldwide. Since publishing The Phoenix Project in 2013, and launching DevOps Enterprise Summit in 2014, we’ve been assembling guidance from industry experts and top practitioners.

Follow IT on Social Media

No comments found

Leave a Comment

Your email address will not be published.



Jump to Section

    More Like This

    Map Camp: Weird Mapping – How to Create a Revolution
    By David Anderson

    A version of this post was originally published at TheServerlessEdge.com. Dave Anderson, author of…

    Serverless Myths
    By David Anderson , Michael O’Reilly , Mark McCann

    The term “serverless myths” could also be “modern cloud myths.” The myths highlighted here…

    What is the Modern Cloud/Serverless?
    By David Anderson , Michael O’Reilly , Mark McCann

    What is the Modern Cloud? What is Serverless? This post, adapted from The Value…

    Using Wardley Mapping with the Value Flywheel
    By David Anderson , Michael O’Reilly , Mark McCann

    Now that we have our flywheel turning (see our posts What is the Value…