Harvard Business Review has reported that digital leaders succeed in large part due to their ability to recognize and scale innovation across their business – seeing beyond transformation hurdles and IT complexity. They never lose sight of the end goal.
So, what does it take to be a digital leader? As a sponsor of the Software Risk & Innovation Summit last week in New York City, I was able to hear from some of the leading experts on the matter, including CISQ, JetBlue, COACH, Fannie Mae, BCG and others.
Under the umbrella of software risk, attendees heard about two major issues:
Is DevOps really right for you?
A big discussion point during the first panel was “don’t just assume DevOps is right for you because it feels like everyone is doing it.”
As articulated by Marc Jones of CISQ: “There’s this assumption that everyone is doing DevOps, but it goes beyond just changing operations. When it comes to core, critical applications, a strong control mechanism needs to be in place.”
It’s not always obvious what the criteria for applying DevOps are. Most enterprises today have thousands of applications. “In order to do DevOps successfully, you have to know how DevOps integrates across the entire organization,” said Carroll Moon of Microsoft. You can’t just pick an app and go, you “must be granular about accountability and get specific metrics and monitoring in place” to achieve long-term success, he said.
The full-stack engineers that good DevOps requires, and security professionals to control cyber risks are in short supply. This feeds into the need to automate as many of the risk controls as possible into the process. In discussing organizational challenges to DevOps, it was also clear that getting operations teams up to speed is a main hurdle.
“More change is needed on the ops side to embed the correct controls,” said Louis Garzon of COACH. “You might be getting safety and risk outcomes, but there can be big ripples on the culture side that prohibit growth and stability.”
When it comes to ensuring software quality in DevOps, the consensus from the panel was that a “fail fast” methodology is typically quite helpful. Even though you might be pushing out poor quality code in an incremental release, employing an A/B testing sandbox can minimize risk to the organization.
“You can’t wait for quality testing down the line,” said Ramki Ramaswamy of JetBlue. “IT must bring QA and compliance upfront as key priorities.” Doing so will further eliminate risk from fail fast practices, allowing teams to push new functionality to customers without exposing them to undue risks.
What risks should digital-first companies address today?
Following panel number one, executives from BCG, IBM, Fannie Mae, Bank Hapoalim and Venable took to the stage to discuss how digital leaders can effectively manage risk while driving innovation.
“A big part of success here is being able to course correct quickly,” said Benjamin Rehberg of BCG. “You must always be calculating this enterprise risk equation in the back of your mind.”
Modern business models have also seen a significant shift of outsourcing to Cloud in the last five or more years. While this can increase the phenomenon of shadow IT, there is also opportunity for digital leaders to benefit from Cloud provider specialization.
For example, a breach of AWS would be devastating to thousands of companies, so they take it very seriously and have vastly more resources to dedicate to cybersecurity than, say a typical Fortune 1,000 company. There is also huge value here when it comes to cloud migration and cloud modernization. On the other hand, some financial institutions still consider Cloud a “four letter word.”
Regulators are starting to take notice of this outsourcing trend and consider it more heavily. But with startups invading the marketplace, regulators must consider a diverse landscape.
“Regulations are complicated, chaotic and changing,” said Don Andrews, Partner at Venable. “It can be hard for startups, fintechs and regional banks to comply with regulations that are really meant for larger institutions. The big question in the immediate future is will government have the courage to scale back regulations to accommodate this trend?”
The panel agreed that one of the most important paths to successful and safe innovation is for there to be a strong collaboration between regulators, chief risk officers and technologists. Sometimes it’s the regulators who are the first to see opportunity to simplify the risk environment. An atmosphere that encourages communication between the GRC stakeholders and the IT teams is key.
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.