I just published a short article that can be downloaded here , about IT Security in the advent of Agile and DevOps development processes.
I tried to give a high level overview of the new opportunities and of the new and returning risks that Agile and DevOps bring to IT security management and governance. This requires that the IT security practitioners find new continuous and adaptive ways to provide to business the security of IT systems.
I suggest all those involved in IT projects, specially with responsibility roles, to read the IEEE Spectrum series of articles “Lessons From a Decade of IT Failures” written on the 10 years anniversary of the “Why Software Fails” series.
The only comment that I can make is that we all (in IT) still have a lot to learn!
Recently there have been quite some news about failed large ICT projects, starting from the Obamacare rollout and so on. One of the latest news is that Bridgestone is suing IBM for fraud for $600 Million over a failed IT implementation (see here for details).
We know since at least 20 years that large ICT projects are hard and that quite often they fail, at least as far as they do not deliver what has been agreed at the beginning. (A very easy and often adopted way of guaranteeing that an ICT project is succesful, is to change the its requirements and goals at the end.)
What seems new to me is the fact that the news about these failures are becoming more and more public, probably because they affect more and more people, and that someone is starting to complain, in this case to the point that the customer thinks that there has been a fraud against him.
Actually this trend could help the ICT business in the long run, since it will force us to learn how to manage large ICT projects and implementations and to produce (at last) higher quality ICT software products.
I found interesting this article by Prof. Tang and Zimmerman and this interview with Prof. Tang about complex Project Management like the one needed to build the 787 Dreamliner, and the problems and risks associated with it.
Needless to say I wonder what it could come out by looking at the IT part of this project. We know that IT projects are almost by definition exceedingly over budget, outrageously behind schedule and full of bugs. Add to this that for the 787 Dreamliner detailed requirements, specifications and integrations have been left to tier 1 suppliers, that for the first time ever the entertainment system is on the same network as the flight-control system, and I am not sure of what has been the final outcome. On the other side, if the IT part of the project has come out right, I believe we have a lot to learn from it.