DevSecOps – Two Decades ago

Initiated my career by starting a company, immediately, the next day after my 4 years of under graduation in computer engineering. Almost three decades ago, the startup mind set for a young computer engineer in Southern India was a novel concept while most of the talented computer engineers headed to a safe corporate job or to the higher education to increase their changes to get into a safe corporate job. Initial capital investment for the startup company was provided by my father which was used to buy desktop computers. Ideas, confidence, enthusiasm and hard work were the capital that I brought to start this startup venture. With heavy capital investment, startup was bloomed, and all the work was done in two desktop computers.

Company was a massive idea army with two people. During those days, in day time, I primarily focused on sales and marketing for our startup. After dinner time, soaked my soul into conceptualizing potential product definition based on requirements that I heard during my cold sales call & less than a minute marketing pitch to a small to medium size manufacturing and service companies. Like the most startup, we didn’t have a product nor customer and were desperate to find both until our initial operating cost runs out.  In spite of having lots of ideas in our human memory bank, we prioritized the ideas which fetches both product or solution and customer in a shortest time horizon.  It was a self-funded startup and was not started with a product in mind but started to solve significant industrial problems using software and consultancy.

In a retrospect, we followed product & agile mind set, developed a minimum viable product to attain the business goals in an efficient manner. We were able to implement these constructs, even though, we never heard of these terms in technical journals (like Dr. Dobbs), text books, collaborations with other software engineering experts, industry and clients. We were intuitively following these constructs based out of necessity.

After couple of years of startup journey, like most of fellow computer engineers during those yesteryears, I ventured into a safe technology corporate job. I gained completely a different set of experience working for corporate giants. Customer already committed to a project, sales and marketing pitches were already done with the customer, a contract was signed, expected outcome and time line were defined, team was formed, roles and responsibilities within the team were defined, a methodology was chosen, a formal meetings were scheduled and it was so organized.  I was so excited that all basics were taken care in that environment and even more excited that I was able to focus on solving challenging technical problems in the areas like lexical analyzer, device drivers for tablet, build process, automatic testing of products in multiple operating system, source code control systems and etc. I implemented an end to end automation of the build process, functional testing, system testing, integration testing, packaging (software was released in tape medium to the client who run in Silicon Graphics, Sun Solaris operating systems and in CD for Windows 3.11 and WinNT operating system)  installation scripts ( used to install the software in the client environment), installation testing and etc. The whole process was implemented and maintained by one person – me and along with other responsibilities (implementing device drivers, kernel programming, lexical analyzer) that I had at during the project. In a retrospect, I implemented continuous integration and continuous delivery for a one of the most complex technical projects that I worked in my career. As an industry, we didn’t use terms like CI/CD or DevOps but that was the implementation of CI/CD – Devops constructs that automated the end-to-end process from code to deploy (package that can be shipped to customer). The developers across the oceans were able to develop a new feature in the product for the next release or fix a bug (identified by the client or through internal quality assurance team)  by checking in the code in the code repository, merge the code for release, automatically test with no manual intervention and early morning report was automatically sent to all developers with any compilation or code quality issues.  This level of automation was implemented more than two decades ago and the driving factors for this level of automation was the complexity involved in the product. The product had a single copy of source code that run on multiple version of multiple operating system (HP-UX, Sun Solaris, Silicon Graphics, Window) and product features were generally available in all operating systems.  Even though, we were proud of our accomplishments during those days, we never met our end customers. We had multiple layers and teams in-between end customer and the development team. We worked on the assumption that all the features we developed were useful to the end customers but never met a customer or customer group.

After gaining years of invaluable experience in the technology-based corporations, I ventured into automobile, auto financing, bank, financial services, distribution and medical device manufacturing companies and adding more experience to my elongated career in this type of company.  Information technology space has evolved in last two decades, but one fundamental function has not changed is, developing a technology solution to solve a business problem. Machines has not arrived yet to automatically solve business problems.  In today’s corporate world, almost everyone wants to develop technology solution to solve a business problem like a startup company that evolves their solution based on the customer’s demand and like a technology company which automates end-to-end IT processes and solely focus on the business outcome.

The key takeaways are a) Enterprise Information Technology organization within a corporation primarily provides business value to the bottom line by developing software solution. In recent years, we heard the phrase, software eating the world, which is true. The software solution is an output produced by an IT organization since the inception of IT and it grew into eating the world. The software solutions are not just an enabler of an established business but also it creates new channel, product, and customer. b) The terminology and definition may be relatively new to the IT industry, but these concepts are not. As I mentioned through my personal experience, these concepts were used in pieces even few decades ago. c) With integration of various tools, open source, processes and methodologies, the continuous integration, continuous deployment, concept has been made available for easy consumption. d) The software solution development methodology and approach are more critical than ever. To enhance the collaboration among the developers, end customer, business partners, marketing team, architects, shared service organization and other stakeholders, various concepts are in place like CI/CD, DevSecOps, Agile, Kanban and these concepts/solutions are more matured and proven. It is imperative for the organization to implement these concepts/solutions and realize the expected business outcome which is, to provide respective service or product to delight their customers.

Architect’s view on Compliance & Risk Management

If we study to get just good grades; we may or may not learn. However, if we study to learn; we will always get good grades. 

The mission of an information security in an organization must be to protect and safeguard the company’s assets like customer information or intellectual properties. Objective of a compliance and risk management in an organization is to measure the success rate of information security team’s mission. If the mission of an information security team becomes to be compliant with regulation and other internal & external governance bodies; the company’s asset may or may not be protected.

Have we ever thought about why we go fast (relatively speaking) in a car? Because, we could and the cars are capable of going in high speed; but if you think deep; the reason why we go fast in car is because we have breaks.

When we go fast and do not have systematic brakes; then it is called extreme sports. We don’t want to run an established organization as an extreme sport. As an organization; we need to go in high speed but we need to have systematic way of controlling the speed with a proven brake system.

Information security, compliance, risk management teams exist in an organization to execute projects & programs faster.