In April of this year, I was assigned to lead a Quality program for all of IT at my company.Â Meaning, I and my team are supposed to significantly improve the quality of ITâ€™s deliverables in the next couple of years.Â This improvement in quality is supposed to reduce support costs, reduce incidents and downtime, speed delivery through the creation of reusable materials, ensure we have proper testing environments, etc.Â Of course a lot of this implies the need for training and behavior changes, which opens up the people change management can of worms.Â It still makes my head spin when I think about our scope.
I also still ask myself, why me?Â Why is an InfoSec Manager with expertise in identity and access management being asked to make changes that impact the worlds of (just to name a few) project managers, testing, delivery, operations, and support?Â What do I know about these things?
When I asked the leadership this initially, the responses I got were things like, I have a good perspective on customer service, Iâ€™m familiar with the support and infrastructure teams, and I have a reputation for getting things done.Â OK, I buy that.Â I think they also wanted an impartial outsider â€“ since Iâ€™m not part of any of the organizations impacted by the work, Iâ€™m more likely to be impartial.Â I buy that, too.
What I really wonder is if they realized just how much my InfoSec background really plays into this new role â€“ am I slow in discovering what theyâ€™ve known all these months, or is it just an interesting coincidence?Â The reality is, itâ€™s SCARY how similar quality and security are.Â I was reading a Gartner presentation on aligning InfoSec with the business a few days ago, and realized somewhere in the middle that I could replace the word â€œsecurityâ€ for the word â€œqualityâ€ in the entire presentation and the statements would be just as true.
Think about it:Â what is security?Â Security is the set of practices, processes, and technologies that for the most part no one wants to deal with.Â Theyâ€™re often viewed as extra work.Â Most people buy into security only because itâ€™s required and because if they donâ€™t, bad things happen.Â But what happens when you do good security?Â Nothing.Â No denial of service attacks, no lost data, no hacks, no unexpected downtime, no firedrills, no audit findings, noâ€¦ you get the picture.
And what is quality?Â Quality is the set of practices, processes and technologies that for the most part no one wants to deal with.Â Theyâ€™re often viewed as extra work.Â Most people donâ€™t buy into quality because itâ€™s not required but when they donâ€™t do it, bad things happen.Â And what happens when you do good quality?Â Nothing.Â No unexpected downtime, no rework on designs, no missed requirements, no customer complaints, no 3am support callsâ€¦Â See what I mean?
In one way, security is easier than quality because there are legal requirements for it.Â But quality is easier than security in that the consequences of bad quality are much more visible and easy to understand than the consequences of bad security.
So now what?Â In my last blog post, I pointed out that the unintended consequence of rewarding too much speed is getting not enough quality.Â Interestingly, when it comes to something like project delivery, customers continue to reward speed at the expense of quality even after having numerous bad experiences.Â Why?Â Well, for one thing, speed equals money and itâ€™s hard to argue with that.Â Weâ€™re also very much an instant gratification culture â€“ â€œwaitâ€ is a four-letter word.Â But the key issue is that the customer experience is negative.Â Remember â€“ itâ€™s the positive experiences that drive the behavior, not the negative ones (this is very true in InfoSec, too).Â This brings us back to Nothing.Â Once we can demonstrate to the customer base that good quality leads to Nothing, they will reward Nothing, which will in turn encourage quality.
It would seem that my job is once again to sell everyone on the virtues and benefits of Nothing â€“ in a bad economy no less.Â *sigh*
Then again, Seinfeld made a lot of money on Nothing, so maybe Iâ€™m sitting on a gold mine and just donâ€™t know it yet. 🙂