‘No pain, no gain?’ How about ‘little pain, great gain?’

by

This article originally appeared on CIO.com. To read the full article on CIO.com, click here.

The Fallacy of Agility for CIOs

To stay agile, CIOs consume themselves with investigating new paradigms, solutions, features and technologies that can drive innovation and keep their organization on top. Whether it’s cloud computing, blockchain, AI, big data or machine learning, CIOs are always considering what’s possible and how the adoption of emerging technologies can transform and improve business operations.

But with so much focus on the future, it’s easy to steer development effort towards new projects and lose sight of what matters in the long-run, and more importantly, today: keeping IT risk low, maintaining the systems you have and ensuring those systems can support continuous change and transformation over time. 



Make Software Maintenance a Priority to Lower Your Risk Exposure
 

It’s easy and efficient to add new capabilities as new features to pre-existing applications and doing so makes practical sense. For example, it reduces development effort and speeds time-to-market. But to accelerate the pace of change, teams are more frequently adding entirely new systems and new technology stacks to fulfil new requirements, adding to existing complexities with limited knowledge of how these updates will impact the whole.

Particularly in environments where the majority of effort has been shifted to new development, this becomes increasingly problematic.

And what’s more, when teams begin building a new system, they typically cease to maintain the old because it will eventually go away. In most cases indeed, the older system won’t be fully retired for several years, or longer if there’s new functionality being layered on top of it. While new development effort is in progress, the legacy system is still running business operations – storing customer data and providing vital services. By shifting the focus away from these systems and reducing available maintenance spend, CIOs and their business counterparts forget that these older systems, too, require constant care to avoid outages, downtime and service disruption. As a result, end-stage legacy applications are regularly forgotten, lost or undocumented, making it even harder to ensure they are reliable and can support new development.

Here rests the dilemma for CIOs – how can he or she afford to devote even more time and money to maintain legacy apps while the business is wholly focused on staying competitive to leapfrog competition?

From my own experience, I’ve learned that it’s all about striking a healthy balance between maintenance and innovation. Not preserving current systems to focus on delivering new capabilities is simply not sustainable. In fact, CIOs who don’t pay enough attention to the stability of their current systems don’t stand a chance to prove their value to the business. They don’t get to test new solutions, they don’t get to propose new technologies and they’re not considered to be a reliable team player.

Once a CIO has established his or her credibility by proving they can support the status-quo, they can leverage that trust for the benefit of IT. This is not always easy - it often requires a bit of spunk and stubbornness to persuade business stakeholders that a more modest approach may be the best way. But if it’s going to protect the business and enable more productive innovation down the road, it’s always worth the fight.

As CIOs, if we can accept a few small pains in the pursuit of achieving many great gains, we will land on top. Below is my list of six principles to live by to keep risk low and solidify your success.

Six Little Pains That Translate to Great Gains

1. Make staying healthy a daily priority. Every year, a sizable part of your budget should be reserved for a technology refresh and upgrades. Whether you approach this spend as part of your base or discretionary budget doesn’t matter, as long as you are explicit about the budget you set aside for maintenance activity and the scope you will address. Typically, you will not get all the budget you need to fix everything, so be prepared to prioritize and accept some risk for what you cannot upgrade this time around.

Reducing IT costs by short-changing this type of necessary spend is a sure recipe for disaster, and the business will pay for it later many times over. Don’t let your business colleagues forget about the impact of this spend! Reviewing this portion of your budget in a collaborative way with the business will increase transparency and increase the success of your projects. As part of this, risk should be assessed and measured regularly so everyone understands where progress is being made, where more investment is needed and where a complete overhaul may be required.

Gartner has a recommended model for conducting periodic application portfolio assessments to identify cost reduction capabilities and increase agility.

2. Forget about uptime! Why do we continue to report uptime metrics, when they tend to hover north of the “three nines” (99.9%)? Downtime is a much more telling and is an important measure of impact. Consider if you lose power for a few hours at home. Most of the time, it resolves itself within moments, and it’s not an issue. However, there are times when outages are more critical, like in a big storm or natural disaster, and backup power becomes more essential.

Being aware of when downtime can happen and its impact to the business helps determine the criticality of that downtime. A great example of this is Cyber Monday. In 2018, Americans spent $7.9 billion on Cyber Monday, making it the largest shopping day ever in the U.S. Imagine if one of your e-commerce platforms experienced a critical outage on this day. Your company could stand to lose millions, and that can be if just one of your applications goes down.

Today’s large enterprise runs hundreds if not thousands of applications, most of which are highly dependent on one another to operate. Even with 99.9% uptime, this means there’s almost always an outage somewhere. In order to know what’s actually in that 0.10%, we have to look more closely at downtime trends to protect the business according to the right level of risk appetite.

3. Take an inclusive, design-first approach. Safe and sound systems must be planned and designed that way from the beginning. Bolted-on security, after-the-fact and manual controls, non-scalable architectures and clumsy designs will ultimately fail in production.

Thinking about your end-user is natural and should be a primary focus. However, we also need to incorporate user stories where the user is the individual responsible for maintaining the health of these systems. This maintenance should be as automated as possible, but we also need to provide administrative functionality in case intervention is necessary. This should be incorporated in the plan from the beginning to ultimately be more effective and ensure systems are healthy in the long run.

Not all conditions can be foreseen, but the more “what if” scenarios the project team considers in design, the more success they will have in delivering apps that serve both the needs of today and tomorrow. To do this, software quality and robustness must be approached in an agile way, with proper prioritization and a forward-looking plan that supports ongoing maintenance efforts.

4. Tool-up. The now cliché saying that technologists are challenged to “build the plane while we’re flying it,” couldn’t ring truer than in maintenance vs. modernization decisions. CIOs must make critical updates to systems at the same time they’re relied upon to drive business value and revenues. The only way to do this effectively is to give your team modern tools that support your unique challenges.

Thomas Klinect, a senior analyst at Gartner, suggests that “with more complex transformations taking place, vendors are forced to provide application leaders with more-intelligent software packages aimed at modernizing existing complex systems.” This is good news for CIOs and their teams, who now have more flexibility and freedom in the tools they choose to put in their belt.

Now, the challenge is to select solutions that are complementary with one another and help you demonstrate continuous improvement with minimal disruption. In my experience, this presents another hurdle with the business. CIOs must not only justify the number of tools required for maintenance but must also demonstrate why further investment in the customization of those tools is essential to success.

When selecting which and how many tools you need, consider a few points:

  • How efficient and effective is the tool?
  • Can the tool be integrated with others to align low-level technical data with top-level business information?
  • Does the tool lend visibility into software health and root cause analysis?
  • Does the tool help you identify and fix issues quickly?

5. Get regular, real-time measures of software health. Dashboards and reports that you can take to your business partners are a big value-add when trying to prove that you’re making progress. These reports should look beyond downtime and incidents to showcase the overall health of the inner-workings of your system. A new category of solutions in this market called Software Intelligence can help you consolidate the most important data about the safety and soundness of your systems, including the structural robustness, efficiency, security and maintainability of your software at design time.



For instance, this can help you assess your level of compliance in terms of various controls and enforce architectural principles for the organization. All these characteristics contribute to your overall risk profile. The lower your risk profile is, the better. Not only from a stability standpoint but also in your ability to build new features and capabilities at scale.

The key to success here is remaining focused on using the data to make consistently informed decisions and monitor progress over time. These should be the facts that drive conversations between IT and business leaders and inform IT investment decisions.

DevOps and Agile methodologies can also have a positive impact on overall risk exposure. Combining structural quality measures with defect ratio, dollar spend, cycle release time, build count and other data ensures maximum transparency and alerts teams to high-risk areas.

6. Make safety and soundness a priority for everyone. CIOs must be evangelists. It’s not just about keeping IT’s eye on the ball - the CIO must be the key player who keeps everyone else on-task and equally aware of processes and technologies that may put the organization at risk. It requires educating everyone about the potential risks, what could go wrong, what needs to be fixed and the level of priority for each.

Safety and soundness should be everybody’s business - from management to business to architects to developers - it takes a village. With timely and up-to-date data, fast decisions can be made with all teams on the same page for the best outcome.

Achieve Great Gains

More stable systems are obviously a good thing for the business, but more importantly they set us (the CIO) up for long-term success. Stable systems help us maintain that tricky balance between maintenance and innovation while giving us more time to invest in and control more strategic enhancements that map directly to business outcomes. They also help us drive teams to implement changes faster because we can trust that our systems are safe, secure and dependable.

It’s like a race car. NASCAR racers can drive at dangerously fast speeds because they know they have reliable brakes and a precise handling system that is checked and measured daily and is associated with constant training and practice, to allow for a more aggressive drive. Without such brakes or quality checks, there’s no opportunity for trust. Drivers would have to take every turn tentatively to minimize the risk of an accident.

For IT organizations, this is equivalent to losing control over the quality of application releases. It forces us to add layers upon layers of controls and tests, slowing down projects while keeping us vulnerable to nine-digit defects.

Establishing a disciplined approach to properly maintaining current systems frees us from the firefighting chaos associated with unstable applications so we can design and implement new and innovative solutions. It makes that search for the right balance between old and new much more natural and straightforward. And at the end of the day the business will come out stronger.

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Frederic Veron
Frederic Veron CIO and Head of Safety and Soundness
Frederic is a tenured IT executive with extensive experience in the financial services and global technology consulting industries. Well versed in the challenges of IT service delivery and governance models, Frederic has led countless transformation and risk management programs to help companies complete the shift to fully digital business models.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|