In this series of blog posts, follow along as we revisit Mark Schwartz’s book A Seat at the Table: IT Leadership in the Age of Agility. Five years after its publication, it’s still highly relevant and chock full of tips, tactics, and learnings. Join us as we follow along with Online Marketing Assistant Lucy Softich as she reads through the book for the first time. Make sure you start with the introduction post!
Chapter 10: Risk sounds fairly straightforward, and it begs the question: in an Agile world, where there’s an emphasis on speed and continuous deployment, how can you also ensure that your systems are safe and secure?
The Great Unknowns
Risk comes down to uncertainty, and uncertainty is guaranteed whenever you’re talking about unknown unknowns (which you usually are when it comes to knowledge work). Heck, even very stable businesses can be upturned by unforeseen events such as pandemics. Mark talks from the perspective of 2017, but with my 2022 perspective, I am all too familiar with world-altering levels of uncertainty.
No matter how many statistical models you run or how many precautions you take, things will occasionally go wrong. Mark talks about the responsibility of a CIO who goes with the least risky option, only to watch a competitor soar to success with the risky venture. Was this CIO wrong to have chosen the less-risky option, even though it ended up being less successful? Well, if you define success purely financially, maybe; but do you really want that risky CIO heading things when the next decision presents itself? Could you trust them to get lucky twice?
An Agile leader’s job is to calculate risk and make important decisions. And fortunately, this modern CIO has some extra tricks up his sleeve.
An Agile Approach to Risk
Speed feels inherently risky. If you’re moving too fast, there’s a danger that you will miss something, cut corners, or outright ignore safety protocols in order to deliver quickly. But, the danger there lies when you are delivering to a deadline. In an Agile structure, however, your aim is for “as soon as possible,” in the true definition of that phrase: as soon as this can safely and properly be delivered, and not before or after.
It turns out that an Agile framework is actually ideal for managing risk, as Mark says:
Surprisingly, one of the most powerful risk-management techniques introduced in the Agile world is the idea of testing in production.
Mark talks at length in this chapter about the value of testing. If you deploy in frequent small batches, you can constantly test for issues and immediately catch problems while they are still on a very small scale. And when you test in production, you can see how something functions in its real, live environment, instead of a test environment that can never be 100% identical to reality. You are able to work with agility (ha!) and efficiency while making your system safer.
Mark also discusses the importance of maintenance as part of security, the less flashy part, but also less risky.
Our instinct is to focus on the fancy protections against the extremely subtle attacks, but the basics of security are not complex, and it is the basics that we mess up on consistently.
He recommends a push for rugged systems where security and prevention are built into software from the ground up. This line of thinking speaks very much to modern conversations around DevSecOps or shifting left to allow security measures to be built into software instead of added later. Remember when I talked about 2nd Generation DevOps back in our introduction post? This conversation was happening back in 2017, and it’s only more relevant today.
Indeed, Mark talks about this “ruggedness”—this structural focus on safety and security—as a marker of quality. And look, our next chapter is Chapter 11: Quality!
Jump to a Chapter
Introduction & Chapter 1
Chapter 2: Kept from the Table
Chapter 3: A Nimble Approach to the Table
Chapter 4: Planning
Chapter 5: Requirements
Chapter 6: Transformation
Chapter 7: Enterprise Architecture
Chapter 8: Build Versus Buy
Chapter 9: Governance and Oversight
Chapter 10: Risk
Chapter 11: Quality
Chapter 12: Shadow IT
Chapter 13: The CIO’s Place at the Table & Chapter 14: Exhortation and Table Manners