Separation of Duties? Excuse for Billables? Lack of Experience?
Warning: This is not legal advice; this is common sense advice ~ talk to your corporate counsel before you do anything. Max is not my friend’s real name.
Max is mad. Actually, Max is furious.
The latest report on software development from the organization’s consultant, a Big 4 Firm, concluded that his organization needed more separation of duties. For the last 2 years, Max’s teams have been attempting to implement Continuous Deployment, and every turn the implementation of Continuous Deployment was stifled by self-imposed corporate governance. Max needed advice.
At a high level in my non-lawyer basic premise, Separation of Duties controls are to ensure changing the software is done with intent and validation for correctness. It is simple governance that describes the process to deploy the software.
Continuous Deployment is the practice of allowing a commit of code to pass through validated, often automated pipelines, and be automatically released to production. This practice has been around since the beginning of the 2000s. The value of Continuous Deployment is the automated pipeline gives developers rapids feedback on the quality of the code within minutes. In enhance, a developer can safely push a commit of code to production and follow corporate governance. It is a great practice to reduce cycle time and increase quality.
In fact, Separation of Duties and Continuous Deployment are extremely compatible. Since Continuous Deployment replaces manual human steps with automated, repeatable steps, Separation of Duties becomes easier to audit. This fact allows me to speculate on his consulting firm’s point of view.
- The account manager of Big 4 Firm does understand Continuous Deployment and Separation Duties and was operating under the premises of pre-2000s.
- There is too much billable value in having one team for development, one team for testing, one team for deployment, and dozens of business analysis and project managers. Implementing Continuous Deployment would eliminate most of these hand-offs and roles.
- The Big 4 Firm has never successfully implemented Continuous Deployment and is giving advice that has worked for other customers in the past.
For Max to implement Continuous Deployment, he will need to change corporate governance. To start these conversations, the first question Max needs to ask is for either his organization or the consulting firm to rewrite corporate governance so that only two people are required to deploy the software.
We ask that question to prompt the real question– why is a Big 4 managing our strategy? Does this still align with our strategic goals? It will also become clear that Max’s organization needs to take more ownership in their corporate governance and align their deployment strategies to their organization strategies.