This post is from the XebiaLabs blog and has not been updated since the original publish date.
Dear CIO, Your Risk is Out of Control
Welcome to Part 2 of "Who, What, Where?" a series of blog posts that offer advice and solutions for meeting compliance and security requirements as you develop software at enterprise scale. In this series, XebiaLabs experts cover everything you need to know to take the pain out of audit tracking and reporting. Check out Part 1 here.
I think I can predict one of your biggest struggles: increasing the speed at which your teams build, test, and release features to end users. It’s true: figuring out how to deliver software faster is hard. But there’s another struggle exacerbating your attempt to deliver faster—a multi-headed monster that threatens your ability to get your IT risk under control.
That monster most likely keeps you awake at night. You’re thinking about how you can reduce operational IT risk, so you have more room to operate. You’re worried about staying focused on what matters the most when your financial reserves are insufficient to cover risk costs. And on top of all of that, you still need to figure out how to continually create business value.
The obstacles to IT risk control
The obstacles that keep you from controlling IT risk don’t just hurt the company as a whole—they also have a negative impact on your development teams. You’ve probably asked the following questions many times:
- Why is it so hard for the development team to satisfy audit and compliance requirements with the IT risk control framework that we’ve put into place?
- Why is it that every time the team says they have a compliance process set up and all required approvals in place, they seem to lose focus and start slipping again after a few weeks or months?
- Why does it take so long for the team to go through an audit?
- Why is so hard to gather the evidence that proves that the development team followed the right processes?
- Why do engineers get so frustrated by compliance requirements? Is it because they’re annoyed that they can’t just focus on coding?
- Am I going to lose my best engineers because they want to solve technical coding puzzles instead of being forced to work on compliance?
Do you recognize these obstacles? Or maybe you’re facing obstacles that are far worse? Or maybe you don’t know. Don’t worry; you’re not alone. Many organizations struggle to stay on top of IT risk.
Pivot the focus
To accelerate your primary software development process, you must have a much stronger focus on the secondary IT risk process. Of course, this is easier said than done. Implementing an effective IT risk process is a continuous journey. Taking a few countermeasures here and there without accounting for the overall process won’t work. Taking control of IT risk requires an end-to-end approach that covers software delivery management from code commit to deployment in Production.
A three-step approach for eliminating sleepless nights
I propose a three-step approach to controlling IT risk based on XebiaLabs’ experience with organizations that take accelerating their software delivery process very seriously. Note that the order of these steps matters! Automating processes before you simplify them is a waste of energy.
1 – Review audit rules and simplify compliance practices
Many development teams follow processes that were put in place to satisfy audit rules at some point in the past. But it’s important to review those processes to be sure that they’re actually required, and that they actually satisfy the rules they’re intended to.
Many organizations that do this type of audit review find that their teams are stuck with compliance practices that have been inherited from other projects, or that were once necessary but are no longer needed. Reviewing audit rules also helps development teams understand what certain rules are designed to achieve, so they can re-evaluate their own tools and processes.
Teams often find that they can simplify and streamline compliance tasks while still satisfying the audit requirements that ultimately help reduce IT risk.
2 – Be compliant by default
Focus on creating a process that is both fast and compliant by default. All changes to Production should go through a process that has compliance built in; this is critical for reducing risk and accelerating delivery.
There are many ways to build compliant pipelines. Here are some suggestions for getting started:
- After you review audit rules and simplify compliance activities as described in step 1, determine which of the remaining compliance validations can be automated.
- Separation of concerns and segregation of duties both matter in your development lifecycle. Don’t put all of the burden of building and maintaining a compliance process on your developers.
- Get rid of personal access to all DevOps tools as much as possible. Instead, use service accounts (sometimes called non-human accounts).
- Make use of build breakers that will stop the software delivery process if a compliance step fails. This will give development teams a fast feedback cycle that is crucial.
- Set policies, profiles, or thresholds for code coverage and benchmark tests. Unit testing, security testing, and performance testing all can have a threshold. As soon as a threshold is not met, a build breaker stops the process so the team can react. This setup can be painful in the beginning, but it’s important for increasing the quality of the product and improving process execution.
3 – Automate the process from end to end
After you review and simplify your compliance with audit rules and build a software delivery pipeline that is compliant by default, it’s time to automate the whole IT risk process from beginning to end. Automate all checks, tests, approvals, quality gates, roles and permissions, change request creation, code coverage, CMDB updates, notifications to monitoring systems, and even updates of your operational control framework.
To automate the IT risk process, you need a Release Orchestration solution that operates a level above siloed, individual tools by connecting them together and orchestrating compliance tasks. You will not have complete control of your IT risk if you can’t cover the end-to-end software delivery process.
You can use Continuous Integration (CI) solutions such as Jenkins, Travis CI, or CircleCI to create a strong CI system and move a little faster, but they won’t help you lower your IT risk burden, and you’ll never get a repeatable risk process. Scripting CI tooling to manage IT risk puts too much of a burden on development teams.
How XebiaLabs can help you in this journey
At XebiaLabs, we strive to make it easy for you to take these three steps. The XebiaLabs DevOps Platform offers value stream reporting and key metrics to help you identify the places where you can simplify and streamline compliance activities. Out-of-the-box support for control via roles and permissions, lockable tasks, and quality gates, as well as tight integrations with static code analysis tools, help you build a delivery pipeline that is compliant by default—even for Production. And powerful Release Orchestration capabilities let your development teams automate the IT risk process from beginning to end, with full visibility for all stakeholders.
I hear you thinking, “Is it really that simple?” If it were simple to set up an IT risk framework, every organization would already have an effective one. It requires perseverance to change deeply ingrained compliance and audit processes. But even though it’s not easy, it is necessary. There is no other way to speed up software delivery and avoid sleepless nights. XebiaLabs can help you in your journey; you can even get started for free today.
- Improve Compliance with Enterprise DevOps
- Make Audit Nightmares a Thing of the Past
- Why Freeing Developers Requires Taking Control