In the era of ‘Digital Transformation’, we’re repeatedly told two mantras: Software is eating the world, and every company is now a software company.
Unsurprisingly for a company that specialises in software development, CA Technologies is a big proponent of the idea. The company’s CTO, Otto Berkes, has even written a book about it. But he takes this concept further.
He says that companies should look to become “Modern Software Factories”; where not only are companies developing their own software, but doing so in a way that makes use of all the most up to date practices and tools around DevOps, Automation, Continuous Delivery, and security.
Mastering your software transformation
CA recently released a study, Don’t Let an Outdated Software Strategy Hold You Back, designed to explore how far along companies are on this journey towards every becoming a software company.
At an event launching the research, Berkes warned that there are “Already leaders and laggards in race to build software factories.”
The report suggests that while most businesses understand the importance and need for better software and processes for developing them, few have actually perfected their implementation of the concept. Only around a quarter of the 1,200+ companies surveyed reported widespread use or implementation of tools such as automation and application analytics as well as deployment of DevOps and security principles.
Those that embrace this concept get more than just applause in reports: The companies that are leading the way towards this software-driven way of doing business – what the report calls the ‘Masters’ – report higher revenue and profit growth than other companies. These ‘masters’ were also seen to be better at attracting talent and more agile.
You can’t just buy your way to digital transformation
Whether it’s John Deere acquiring Blue River for its Machine Learning skills, GM buying Cruise Automation for its self-driving car nous, ASSA ABLOY paying up for smartlock startup August Home, or Boeing snapping up Aurora Flight Sciences, legacy companies left and right are buying the tech startups trying to disrupt them in an effort to try and get ahead of the game.
Cultural change
Beyond the mere acquisition of talent – through hiring or buying – the hard work can be changing the way the company as a whole thinks and works.
“The cultural aspect is often underestimated. You can spend a ton of resources acquiring a ton of talent, but if you don’t have the systems and the culture in place to support and enable them, it will become a futile exercise.”
Company culture, however, is often driven by the people at the top. If a company’s execs and leaders aren’t able to adapt to the digital way of doing things that can stop any kind of evolution actually taking place anywhere in the organisation.
“We talk about talent gaps today focused on software development talent, but we also need the right talent at all levels of leadership to be able to move into a new way of harnessing software.”
“It’s a question of talent management. Leadership absolutely is a part of that challenge. There are going be many cases where leadership change needs to happen along with the rest of the talent change.”
However, although change often means new faces being brought on board, simply gutting the company of its older faces isn’t wise. AWS Chief Architect Glenn Core recently told IDG Connect that keeping experience on board is incredibly important during these kinds of transformations in order to ensure new ideas are implemented in a responsibly and logical way, and Berkes agrees.
“With this kind of transformation you need a balance of talent, institutional knowledge, and memory: they know where some of the pitfalls are and where it’s better to tread cautiously, and to integrate new talent, people, and thinking into the organisation in a thoughtful way.”
“The reality in business is you don’t have the option of putting a pause on everything and starting over, you need to make sure that the business that you have continues to operate while you bring in new processes and transform the business. It’s critical to have people who have the historical context to provide that continuity.”
DevSecOps
Given we live in an age of constant hacks and mega breaches, security should be first and foremost in the minds of all developers. Sadly, this is rarely the case. Security companies often talk about the idea of ‘Security by Design’, but given the alarming frequency products are shipped with poor security, it’s clearly not something that’s really reached the ears of developers.
Berkes and CA are keen to emphasise the security aspect of their ‘software factory’ vision, and are proponents of the concept of DevSecOps.
“The idea is to move away from the idea of having security be this thing that you think about at the end of the development cycle, this process you apply right before you release software, and have it be a core competency at all stages of development.”
However, just like changing a company’s whole mindset can be a challenge, so can ingraining security into development. Berkes argues that the concept has to be translated into very specific actions and outcomes in order to have a material impact.
“It’s one thing to talk about secure by design, it’s another to actually have the right tools to be able to cover the software lifecycle.”
Instead of simply telling developers ‘make sure you write secure code’, says Berkes, companies should instead offer tools that will actually help them identify and address security gaps in code.
In response to the general apathy security often receives from people outside the infosec bubble, some have proposed legislating that certain security frameworks for application development should be put in place to legally mandate how developers approach security.
“Legislation is tricky, partially because of the nature of security: nothing is 100% secure, so how do you legislate something you can’t guarantee?”
Instead, Berkes says he’d like to see something more akin to indicators of effort that show how seriously a company takes security.
“[People] download and cross their fingers and hope because there’s no way to really tell what amount of effort has gone into the application of security best practices. We need some kind of indication so you can assess make some kind of intelligent, data-driven assessment on level of trust.”
The Australian government is reportedly looking into a similar rating system for Internet of Things-connected products.
“It’s an interesting idea to try to standardize security best practices so that there’s some awareness both within industry and also on the consumer side of the equation so that when we click on something or download something at least you’ve got some idea of the level of effort that had been expended on security for that particular product.”