Governance, the old way
Governance is an important word in corporate IT. Without governance, diversity would increase until the point of chaos, driving IT complexity and cost through the roof. With such an important mandate, it is curious to observe that typical enterprise IT governance is actually quite limited in the tools it employs, and hence in the results it achieves.
In particular, traditional IT governance suffers from the following two limitations:
Most of corporate governance is based on documented guidelines. Enforcement processes attempt to ensure that these guidelines are actually observed, e.g. by installing approval gates or budget restrictions for new investments, augmented by occasional spot checks or architecture reviews. Unsurprisingly, the gap between prescribed governance and reality is bound to be significant, especially in large and complex enterprises.
This type of governance appears to derive its operational model from the law: you write down what is allowed and what isn’t and if you catch someone in violation you fine them or send them to jail. While this model works reasonably well for drivers and citizens in general, catching perpetrators in a fast-moving world where IT assets can be acquired with a credit card is a losing proposition.
Focus on Inventory
Second, governance largely focuses on software and hardware inventory - the pieces that are acquired and thus can be easily detected through budget control. Achieving specific capabilities, like being able to roll out new versions without any planned downtime, is at least equally important (see Check Capabilities, not Ingredients), but rarely the focus of governance.
Enter the Chaos Monkey
With so much automation helping IT become more efficient and more disciplined, one should wonder to what extent governance can benefit from automation. We may find the answer in an unlikely tool…
Netflix’ Chaos Monkey tool gained almost immediate notoriety, not at least due to its provocative name, but also because it popularized the notion of Chaos Engineering, which aims to better manage the complex systems we tend to create. The Chaos Monkey is a tool that randomly terminates running service instances to ensure that applications are resilient against instance failures. Since its inception in 2011, the Chaos Monkey has been joined by many cousins that simulate latency and other types of system disturbances.
While it’s easy to dismiss the chaos monkey as a wacky tool for wacky internet companies, it does deserve a second look, even in enterprise IT. That’s because the Chaos Monkey is the ultimate governance tool - rather than simply prescribing that applications should be resilient, it kills those that aren’t compliant. Now that’s a form of governance that even the governator would be proud of!
I’ll be compliant – if it doesn’t slow me down.
An additional hindrance of governance can result from the fact that governance rules often conflict with other business and technical priorities. For example, all software should undergo an architectural review, a security review, a penetration test, etc. However, all these cost time and money for preparation as well as execution, while projects are incentivized to deliver fast and under budget constraints.
The only way to resolve this eternal conflict is to define clear priorities and to understand that something being a second priority doesn’t mean it’s less important. It simply means that it’ll be optimized withing the constraints set forth by the first priority. Because that sounds a bit academic, let’s pick a simple example. If your company chooses delivery speed as the first priority (not a bad choice in Economies of Speed), it doesn’t mean security isn’t important. But it means that you’ll aim to achieve the best security that doesn’t slow you down. For example, instead of manual reviews and pen tests you conduct automated code quality checks and automated pen tests that can keep up with the pace of software delivery. Or you employ a security monkey that disables insecure software.