Scrum is not a way of development, it’s a form of management. At VTS we have adopted scrum companywide. Naturally, we started with our engineering teams, but later we rolled it out to the rest of the organization, in every department. Now the entire company is aligned to sprints and operating on the same schedule.

Converting to scrum from running your department in a “traditional” management method can be somewhat of a big change, so learning about the way of scrum directly from its “inventors” is definitely a great place to start:

Scrum: The Art of Doing Twice the Work in Half the Time Book by Jeff and Jj Sutherland.

It’s a misconception that scrum is just for engineering or development. The book is written in a thoughtful way to help think about scrum no matter what the business line, vertical, or industry. Sutherland does an excellent job of providing real world examples that are easy to relate to, and show scrum’s true diversity. Here are some of the more interesting takeaways.

The Agile Manifesto: People over processes

Products that actually work over documenting what that product is supposed to do

Collaborating with customers over negotiating with them

Responding to change over following a plan

pg 13

At the core of scrum is the Agile Manifesto. These are key “rules” to operate fast and efficient to produce usable products or usable services for your organization.

In a larger, traditional organization (typically a slower organization), these points may seem idealistic and impossible to achieve. Instead of thinking about how this would never work at your company due to process and politics, try to implement the scrum way on your team.

As an IT/Security example, there can usually be a lot of configuration items available when rolling out new tools or software. Conventional wisdom is to get everything absolutely perfect for a silky smooth roll out. If you were to use the Scrum methodology, you may do a partial rollout in terms of features or people to get the product rolled out sooner, to start providing real value faster. When we rolled out Okta for identity management, instead of getting it in the ideal end state, for all applications, and all user, it was rolled it out to all users with just a subset of the most important applications. There were some issues with the rollout. More detailed testing would have likely identified these issues prior to rollout, however this way got us to the operational endstate faster than we would have otherwise.

Remember, 80% complete is probably good enough to provide real value.

“Discuss not what they did, but how they did it. How can we work together better? How can we do more, not by working longer hours, but by working better and smarter.” pg 15

Its an old adage to “Work Smarter, not Harder”.

There is a tradeoff between solving this problem right now, versus taking more time to solve for the root cause and fix this type of problem forever. Knowing which of these paths to take will come with experience, but it’s always worth the thought exercise to think about the problem in these two contexts prior to moving forward with your solution. Solving a problem for now vs taking extra time to solve the problem forever is tradeoff of time. If “forever” is only once or twice more, a one off solution may actually be better.

If you can understand how your team or teammate solved a problem, that knowledge is transferrable, create synergies, and help you move faster; this is where retro lookbacks can be helpful.

When a project, task, or data moves from one person to another, or from one team to another, knowledge will always be lost in the transition. It is important that a critical piece of information is not lost in the transfer. The sending party may not fully know how the receiver is going to use the data, and how data is used will certainly change over time. The receiving party may not fully know, or need to know, what goes into gathering the data they receive. Therefore, if the sender changes one piece of data for their own needs, it may have drastic effects on the receiving party. This is magnified if the receiver uses this data as input to send data to another receiver. (Hopefully this isn’t confusing.)

What can improve the process or the handoff? To help reduce this type of problem, a Business Architect can help map out business process. Each department will owns their own processes and procedures, but the business architect has a strong understanding of the business as a whole. Their primary role is to make sure everyone understand the processes and potential handoff impact. They also help identify gaps, overlap, and core dependencies.

“The idea is that making any choice involves an energy cost. … your capacity to make good decisions diminishes.” pg 105

This quote is directly related to the previous. This is not an argument for “work life balance.” The argument is that you only have X brainpower to use during the day. Every decision you make takes away from X. Once X has been depleted, you have no more brain power to make informed or proper decisions. Once X has been depleted, you are much more likely to make sloppy mistakes or errors that will result in more work to fix later. This is why Sutherland has found you are actually more productive when you work less hours. You make less mistakes when you have brain cycles remaining, instead of running on brain fumes.

“Time makes up your life, so wasting it is actually a slow form of suicide.”pg 81

Nobody wants their personal time wasted. Nobody wants to work on a project that turns out to be useless, meaningless, or abandoned. That would mean the time you spent on the project was wasted time and effort that would have been better spent doing something else. In a startup environment, time is be your most precious resource.

One of the core concepts of a Lean Startup is that it does not matter if you build a product or feature on time and under budget if nobody wants or uses it. The key takeaway is identifying if what you are doing as a company, as a project, as a feature, as a contributor, etc. is providing value. If it is not, discover this fact as fast as possible, then change or pivot, thus reducing time wasted.

This can also translate to other departments, such as Information Security, that do not necessarily deliver “products”. Projects, assessments, or daily work must be prioritized based on the value to the company. This may include things such as, reducing external risk, reducing internal risk, or just generally helping out when you have the experience of knowledge that can be of use.

It may be fun and exciting finding and fixing an esoteric bug in your application, but it ‘s not much of a help your organization if what is really needed is security architecture advice as the business expands into new technologies.

“So if you were a prisoner, what was the biggest factor in whether you;d go free or not? True remorse, perhaps? … It turns out what really mattered was how long it had been since the judge had had as sandwich.”

We must follow the data, to make informed decisions. This is one of the core concepts and takeaways from Malcolm Gladwell’s books.

A judge is unknowingly making decisions based on his mood, affected directly by how hungry he is. Of course he isn’t doing this consciously or on purpose, but it’s happening. We can only correlate, identify, and correct issues if we are doing some form of data analytics.

On a very basic level, you are probably already capturing data. It may not be that much extra work to do the analytics.

In IT: what are the types of support tickets you are receiving, and when are they coming in? There comes a tipping point when does it make sense to implement a solution to either eliminate the root cause of the problem, or implement a technology that allows the end user to solve the problem on their own.

In Security: what are the types of vulnerabilities the engineers are introducing into the code? Is there a pattern that can be fixed through technical controls or education? Is there a time of day or day of the week you are receiving more phishing emails? Take some action to alert your company to be on higher alert during these times.

PREVIOUS → Parallels from Potter

ABOUT THIS BLOG