Agile for Budgeting

Agile (Scrum in particular) is a framework for Product development, not just software development. It’s been successfully used for a wide variety of products, from medical devices to ad campaigns.

Let’s consider an organizational budget as another form of product, and explore if Agile might offer some advantages as an approach. Key among Agile values are embracing change; transparency; inspect and adapt.

Annual budgets are resistant to change, by their nature. While a sizeable portion of the budget might be necessarily fixed, not all of it need be. Some good-sized chunk of the overall budget can be marked as “adaptable”, being altered at some time-boxed frequency during the year, to best meet business priorities at that point in time, by a consistently organized team. Depending upon the organization, its culture and needs, the release of this could be quarterly or more often.

The overall annual budget tends to reflect a command and control culture in most organizations, even in those perceived otherwise. The budgeting typically is one pass, and then consolidated. Instead, try multiple passes, iterating, with transparency of plans between organizational units.

The funds for each item are implicitly the metric for business value; if there are other factors, then this needs to be explicitly stated, and ranking of business value made clear, for each budget item.

If an organization is going through a significant transformation, the budget not only should reflect this, but needs to adapt to changing circumstances along that transformational journey. The environment around the organization will change, and particularly for transformations, malleability is essential for success. Adaptive means agile, not the traditional approach.

note: originally posted to LinkedIn Pulse, Nov. 2015

Advertisements

Cultivating the Zone

In the zone: usually we think of this state in terms of athletes, or creative artists: musicians, writers, dancers, poets.  Yet it’s not just for individuals, but for teams and groups as well; an example is the hyperproductive IT developer teams, mostly associated with XP and Agile practices.  Psychologists seem to prefer the term, “in the flow”, and that’s how you’ll find it in Wikipedia.

Think of it as an alignment of deep skills and a clear, achievable, meaningful task; a state of resonance between reality of the moment, the task to be accomplished, the skills brought to that situation, and an exceptional focus on that task.

It’s not just highly productive, or good solid work; it’s exceptional, out of the everyday mode of doing.

It’s never guaranteed; no sure recipes for entering into that state.  It cannot be forced.  But it can be encouraged and cultivated, nourished; allowed to happen.  Impediments to it identified and removed.

Some conditions probably necessary to achieve this state are:

  • The person or team is skilled in their field, perhaps deeply skilled.  A sense of mastery, pride in those skills, and some confidence in their use.
  • A bit redundant, that they have to enjoy what they’re doing.
  • The task is well defined, perceived as achievable, but challenging.
  • A high degree of focus and concentration; absorption in the task at hand.
  • This absorption can result in a feeling of being one with the task. The person becomes the work.
  • A feeling of fluidity, less difficulty than normal, performance seen notably above the usual.

How can we cultivate the conditions to help get into the Zone?  We, as individuals, as managers, team members, project managers, setting up an environment that allows this to happen:

  • Minimize distractions and encourage a sense of focus.  For some this means suitable music; for others, quiet; for some teams, something to impart energy. Perhaps a sign outside the team area, “Do not stick fingers in the cage.”
  • Make sure that tasks and goals are well defined and achievable. But don’t micro-manage.
  • Create an environment of minimal worries.  A sense of safety, isolation from threats.
  • Encourage a culture of mastery of the relevant skills, so that the basic tools are extensions of our thoughts. The thought effortlessly becomes the action towards the goal.

Don’t be concerned about rewarding this behavior: being in the zone, feeling that flow, is its own reward.

 

 

What’s Missing From Your SDLC

Having an SDLC (Software Development Life Cycle) documented is not to provide a minimum effort on development, or something to ignore, and keep writing programs as the mood strikes.  It’s part of an effort to follow best practices, to deliver high quality software on a repeated basis.  Even Agile methodologies can have an SDLC.

SDLC’s usually cover the core of the process of software creation, from initial requirements through design, coding, testing, integration, user acceptance, etc.  Some key elements are often overlooked, or considered not to be part of software development.  I’d like to suggest that you think about some areas that might improve the quality of the software you create if they are part of the SDLC.

Production support is not just about maintenance and fixing defects.  It’s about the ongoing improvement of what you delivered, preparation for the next release; part of the SDLC.  It’s about empowering the users, giving them the ability to fix their own problems when possible and reasonable; giving the right tools to the first level of support.  Not just documentation, an FAQ, or online Help, but items like creation of an error log and error trapping.  If the application has a database or data store, did you design a quality check on stored data, not just relying upon front end edit checking?

Does the application offer its users the opportunity to report problems, or give feedback about the interface they use?  What are the processes you envision for the ongoing improvement of the product?

Some SDLC’s include a Lessons Learned as part of closing out the development effort, project wrap-up.  The problem with that is it doesn’t do any good for the project in question, since that’s over, and seldom is examined either for the next release or by other projects.  Taking a page from the Agile approach of a retrospective for each iteration (sprint), why not do a Lessons Learned at each major milestone in the project, so the project can actually benefit while still in progress.

Security reviews should be part of the SDLC for all applications, not just web apps, not just for external facing ones.  How vulnerable is your application if another behind the firewall is compromised?  Security is part of the design process, not just something during the testing phase.

Security challenges are constantly changing, and some level of awareness needs to be part of the mindset of developers, not just IT security professionals.  Look towards organizations like OWASP (Open Web Application Security Project) as a resource.  Their Top Ten Security Risk list might startle some of your peers.

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

The Department of Homeland Security has some excellent resources, such as a National Vulnerability Database http://nvd.nist.gov/  as well as checklists and guidelines.  Look around their site.

Security is often a nightmare for developers, but there are people, organizations and tools to help you.

Look at your SDLC, think of the ongoing life of your applications, and what might enhance their quality.  The SDLC is an ongoing opportunity for process improvement.

 

Rejuvenating the Infrastructure

The lack of agility of the infrastructure, especially the data center and systems programming/ administration is so obvious that the nascent DevOps movement has arisen to combat this perceived deficiency.  Much of that movement’s visible contribution has focused on automation and tools (e.g., Chef, Puppet, cfengine, Nagios) rather than on frameworks or processes.  Not surprising, given the talent for coding of many of the DevOps advocates.

There are other obstacles:

The Data Center values stability of the environment, and resists change; change is seen as a risk, not as any form of added value.  In general, perhaps especially for larger IT shops, other than changes due to bug fixes or security patches, the data center is isolated from positive aspects of application and environmental changes.  New metrics could provide a more flexible approach along the lines of increased Business Value (BV).  Some places, especially those along ITIL lines, may use a metric for risk as part of Change Control, but I have not heard of a corresponding one for enhanced BV.  That BV metric could be a 1 to 5 scale, or a set of numeric guidelines.

Much of the effort of the infrastructure is about process, with solutions well defined.  The challenges are more along the lines of:

–       Sheer scope of tasks, as the whole enterprise may be involved, with associated risk of that dimension.

–       Interdependencies

–       Complexity

–       Volume of work (especially with sharp peaks)

–       Lack of teams

For volume, automation and tools can help; one should also investigate frameworks like  Kanban, limiting the work in progress at any moment.

The lack of teams in infrastructure remains a source of concern for me.  Teams, behaving as teams, not just silos of individuals with common product-oriented expertise.  For example, a group of system administrators each with distinct separate sets of servers to manage, with no or little collaboration between members of the group, is not a team. The situation not only deprives the company and the participants of the benefits of a team approach, but reinforces the sense of isolation and endless repetition of upgrades and patches.

In my prior blog post on Skill-Centric Teams, a key point is that teams can be created across functional silos, basing them on the shared skills and challenges.  While there are distinct differences between a UNIX system administrator, the Windows counterpart, and their mainframe brethren, but there is so much in common, including, but not limited to:

–       Issues of change management

–       Communication with developers

–       Application development (AD) support methodologies or frameworks

Application development infrastructure support frameworks deserve a separate post.

 

Database Vulnerabilities and NoSQL

Information Security professionals state that perimeter security alone is not sufficient; just having network firewalls is not enough to secure your environment.  Both devices and people can circumvent perimeter security.  Devices:  how would you discover if a wireless router was placed on your network?  People:  do you ever use consultants, temps or contract workers?

There are many ways DB’s are vulnerable, with new ones occurring with new features and new releases.  How current is your DB on security patches? Did any of your DB installs create demo or sample databases?  While those don’t have sensitive data, they do represent security exposures.

At a recent chapter meeting of a web application security group, OWASP, some vendors were present.  Chatting with one, Application Security (http://appsecinc.com ), I was glad to learn about a tool that deals with database vulnerabilities, DbProtect.  I’m sure it has competitors with similar functions, but to me, not an InfoSec specialist, it was very impressive, covering most of the common distributed DB’s.

While the mainstream relational DB’s have tools to help address vulnerabilities, the newer NoSQL data solutions do not, yet are subject to many of the same types of vulnerabilities.  Use of MongoDB, CouchDB, Riak, Redis, Hadoop, MapReduce, etc. continues to rapidly grow.  And these are being used in more business-critical applications, or with sensitive data.

Even if used for non-critical applications and non-sensitive data, they still can present a risk, for some may have accounts with privileged access to the critical DB’s, the relational ones; or they may provide elevated access to the operating system.

If you’re using a NoSQL DB, check with your vendor for security assurance tools, or at least some recommendations for those.  Make inquiries of existing DB security vendors;  even if they don’t currently have a suitable tool, they might respond to market demands and create one.

Even if insufficient when compared to commercial products, in the absence of a suitable tool, consider creating a tool, script or checklist to seek common vulnerabilities. Change passwords to any DB default accounts, and use strong passwords (not ones that might appear in a dictionary.) Check for vendor patches frequently.  Keep posted about security exploits against that specific DB.  Something like a Google Alert using a string based upon the DB name (e.g. Sybase) and “security exploit” could bea s good starting point.  Keep learning about DB security.

Choice is a Gift

 In traditional development methodology, tasks are assigned to the developer, usually by their manager or by the project manager.  In an Agile environment, the team is self-organizing.  Managers accustomed to hierarchical or command and control cultures find this unsettling, almost heretical. But repeated studies (e.g., Forrester) have shown Agile teams to be more productive.  Within the Agile community, one even discusses a team becoming hyper-productive, as though achieving an elevated state of awareness, transcendent.

 My assertion is that giving the developers the ability to choose is a major contributing factor in that increased productivity; furthermore, that this can be applied in non-Agile environments.

 It is not just the selection among different options that is empowering, but the detailed involvement in the decision process.  With that involvement comes a commitment of mental energy, an increased degree of being invested in the outcome.  The ability to choose is by itself a reward. 

 Effective choosing cannot be done in a vacuum.  As a manager, part of your role in giving a team the ability to choose is to make sure that they have correct information, as rich a context as possible for their decision;  where this fits within a larger view.  Your ability to communicate your vision is an essential ingredient in the outcome. 

 One must factor in the nature of the team:  how experienced they are; their knowledge of both subject and technology; their interaction with each other.  The degree of guidance you provide is part of your art as a manager. 

 Trust is key: bi-directional trust. You trust them, but they also need to feel that you have their back covered. Do you trust them enough so that YOU take responsibility for their choice?  If your boss comes asking, it’s still your responsibility.

 Choice can also inspire creativity, options as a gateway to innovation.  You believed the options were A, B or C, but once the team got actively involved in the decision process, they came up with a supersonic rainbow that did it faster, more reliably, and made the users happier.

 As a manager, it takes courage to trust your people and give them the gift of choice.  Reward them with this, do it wisely and well, and don’t be surprised if their excellence exceeds your expectations.

 

The Virtual Water Cooler

A key to excellence in managing remote staff is to go beyond formal communication and status reports, to have regular, frequent informal exchanges.

For example, encouraging creativity and innovation often requires interaction beyond the confines of formal channels. In a real office (as opposed to virtual), casual conversations, around the stereotypical coffee machine or water cooler, facilitate these types of contacts.

To really succeed in remote management, you need a virtual water cooler. Think about your own experience with communication outside formal channels or settings. Think about all that you heard or learned at gatherings at the local pub.

Think of such a channel as one for information gathering, listening; occasionally an exchange of ideas, a conversation.

A simple way of creating a virtual water cooler is for a manager to be available in a chat context (e.g. chat room), or for instant messages, at a previously posted time.

If there’s some news or event in the company, industry or larger context, pick that as a topic, announce it, and make yourself available.

If you seek to increase unity among members of a distributed group, facilitate communication. For example, once a week, have a different team member present some tech news or tidbit that they found interesting. But the manager MUST attend those meetings. For others, it should be optional.

Strengthen the sense of a shared mission, a shared vision.

Communicate outside the direct and most immediate, to allow room for the remarkable.