Ew, your risk is exposed. 🤢
Dec 15, 2023 3:52 pm
Happy Friday,
I've got a few things swirling around in my head as I write this email. Last Friday reko.day was approved and put in the Apple App Store. It's a free download, and if you use the code FRIENDSANDFAMILY30 you get a free month of service. Having said that, there won't be much content in the app because there aren't many users yet. It's on my mind.
Another thing on my mind is a conversation about security. A topic I love, even though I'm uneducated.
In my conversation, I mentioned how I wish I saw more people using risk exposure calculations when discussing security issues.
You see, far too many teams treat security as an obstacle and not something that is integral to the product. So they postpone dealing with it at the end and spend a long time fighting with folks, trying to get exceptions, and remediating.
Folks who "Shift left" by pulling security into the planning and development process often see very little change to timelines and launch with a lot more safety.
Still, the question that is hard to answer is how much security is too much?
Hence my desire to see risk exposure calculations.
If you remember the movie Fight Club there's a scene where the main character is explaining how the auto manufacturer they work for decides to do a recall. The formula is the basic risk exposure formula.
It goes: Probability * Units * Cost of Failure = Risk Exposure
So let's walk through an example, let's say for another favorite topic: CCPA. CCPA applies to anyone conducting business in California whose business is in data brokerage or has $50m in revenue.e
Let's say you have 100,000 customers in California. The cost of failing a CCPA notice is $7,500 per incident which can happen twice a year.
Now, the next question is, what is the probability? Well, let's keep this easy and pick a high and low. Let's do a high of 10% and a low of 1%. Your exposure would be:
High: .10 * 100,000 * $7,500 = $75,000,000
Low: .01 * 100,000 * $7,500 = $7,500,000
So, what would you do with these numbers? Well, you now get to make a choice of deciding if complying with CCPA is cheaper than not. For other examples, you can weigh this against the benefits of some new revenue feature.
Not everything will be so drastic, but often, these decisions are made pretty easily by a quick calculation.
So, my question for you is, have you ever used a risk exposure calculation before? How'd it go?
Here's my weekly update for December 15th, 2023...
🗒️ Does Theory of Constraints Make Sense for Software?
Two well-known books where leadership and software intersect are The Phoenix Project and The Goal.
These books are novelizations of a company that redeems itself by leveraging the Theory of Constraints.
While The Phoenix Project is very much a take on The Goal with a software angle, the lesson is the same.
So here’s the question: does the Theory of Constraints apply to software development?
🗒️ Are Scrum Masters Worth It?
In my last article, I went through a few frameworks and mentioned how there are plenty of Scrum Masters eager to prove themselves.
They are a peculiar role in most companies, and many Scrum Masters struggle to answer the question, “What is it you do exactly?
”
🗒️ The Good, Bad, and Ugly of the Popular Agile Frameworks
If I were to ever write an article that would prompt an argument online, this is the one.
There is so much noise and hand-wringing about the one true agile framework that it is impossible to make sense of things.
Sadly that puts our community in a position where it looks like we’re more interested in seeing everyone lose than helping anyone succeed.
It also puts leaders in a terrible position of having to wade through the online sludge of before trying to make a choice.
So, with that, I am going to give my short, no-nonsense guide to Scrum, Kanban, and SAFe.
Enjoy,
Ryan Latta