The Flow Framework™ – Treating risk items as a security cost

Posted by

In the Flow Framework™ there are four flow items that provide value to the end-user of your product:

  • Features (new business value)
  • Defects (quality)
  • Technical debt (removal of impediments to future delivery)
  • Risk (security, governance, compliance)

A software organization must devote time to each flow item as they are all crucial to a strong product. To understand this more clearly, it can be useful to compare each item to financial budgetary differences – like I did recently when I compared technical debt to financial debt

In any organization, it’s vital to lay out a budget and understand how your budget affects your bottom line. How do your expenses generate value to your organization? How do your product development efforts generate value to your product? In the world of software, we typically think features are the single thing that provides value, but that’s a near-sighted philosophy. In reality, we must take a broader approach to the value we provide through software products.

The CEO’s biggest blind spot – how Value Stream Thinking could have prevented the Equifax IT breach

Considering that companies have been using balance sheets, income, and cash-flow statements for centuries before software was invented, there’s value in seeing what commonalities we can find between the act of producing value with our financial capacity and the act of producing value with our software development capacity.

For instance, what financial expenses correspond to risk flow items? I posit they match most closely with general security expenses such as the key-fob operated locks on the office doors, the cost of the security guard, and the cost of the bodyguard for key executives. These are the types of company expenses correlated most closely with the engineering work necessary to deliver risk flow items for a software product. 

Let’s unpack this a bit. Risk flow items are those things that may not produce direct value or demand for your product, but without them, can lead to devastating lawsuits, lack of customer trust, and significant business risk. These items are things such as securely managing passwords, ensuring encrypted web traffic, SQL injection protection and preventing clickjacking. 

Just like security for a company, risk items are not something you typically advertise in and of themselves. With a few exceptions (such as “we’re SOC 2 certified”), it’s rare to brag about an individual risk item. When they are discussed publicly, it’s typically more about messaging around who we are as a company. They’re about defining your organization’s identity as a safe and secure place for your customer’s data. It’s saying “security is in our DNA”. The first ad in the below compilation by Apple does a good job of illustrating this point: 

I have no idea what Apple did to make their computers secure, but because of this ad, I feel that they’re a secure company and I’ll be safe with them.  

Just like with security expenses, the very best you can hope for when handling risk items is to reduce the probability and impact of a bad thing happening. You will never stop everything. Therein lies the rub.

You can always spend more on risk. It’s especially difficult to weigh the value of risk items against the more tangible and immediate impact of features and defects. Those have much more measurable effects on the bottom line of the business. Even technical debt is easier to measure since it eventually allows you more capacity to work on features and defects. Risks are harder. Risks are black swans. There’s only so much you can do to protect yourself, but the impact of not protecting yourself against these risks can be catastrophic.

 The other similarity between security and risk is that no matter how much you spend on the items (either in pure dollar terms or in engineering effort), it’s still entirely possible to be blindsided by either 1) something you completely missed or 2) something you deemed not important enough to tackle. In both cases, it does little to say, “Yes, we failed to protect against the event that hit us, but look at all the other things we protected against.”

So when it comes to budgeting for your engineering efforts, be sure to include capacity for risk items. While delivering risk items won’t directly bring in more customers, they are incredibly important for the survival of your product. Risk Items do two things for you: 

  • They signal to the market what you value in your product
  • They offer protection against threats to your company

The hardest part is knowing how much to invest in this area. No matter how much time, money and effort you put into risk items, you will always have vulnerabilities. But just because you can protect yourself from everything, doesn’t mean you can’t (or shouldn’t) protect yourself from most things. 

Learn more about managing risk items in your value stream

Grab a copy of Project to Product to see how the Flow Framework™ can help you better manage how business value flows across your software delivery value stream:

Click image to order a copy of the book.

Leave a Reply

Your email address will not be published. Required fields are marked *