Re: Interesting article ZDNet re informal software development quality

[George Capehart <gwc () acm org>]

On Friday 09 January 2004 12:02 am, Bruce Ediger wrote:
> On Thu, 8 Jan 2004, George Capehart wrote:
> > security.  *That* is part of the requirements.  If it's not a
> > requirement, then the system owner signs off on it and accepts the
> > risk.  Developers are *not* risk managers.  I agree 1000% with your
> > position that part of good security is balancing the cost of the
> > process and controls against features and risk.  But the decision
> > about how much residual risk will be accepted is up to the business
> > owner of the system, *not* the developer . . . It's a business
> > decision, not a technical one . . .
>
> But in the context of the "interesting article" that lent its title
> to this thread, the "system owner" and the developer roles often
> belong to the same person.  Or nobody in particular has the "system
> owner" role.

But there *is* a system owner.  The business owner, or the DAA in C&A 
parlance, is the person who is accountable for the risk that he creates 
for the organization by using the system.  Notice that I said "system."  
Not just software.

> Even in a corporate environment, the business owner of some system
> is often so lacking in tecnical savvy, or is more interested in
> jockeying for power than in actual managing.

Technical savvy doesn't enter into it.  The business owner needs to 
manage risk.  There are *all* sorts of risk that have to be managed, IT 
risks are only a small subset, and those that are generated by software 
are a small proportion of the overall IT risk.  The manager doesn't 
have to/shouldn't be the one to detail and quantify each and every 
risk.  He/she has specialists in the different disciplines to do that.  
It is the subject matter experts job to present the manager with the 
risk scenarios and a cost/benefit analysis.  The manager then has to 
choose the tradeoffs that cause the least amount of pain.

Jockeying for power is another matter.  That means that that manager's 
boss is not doing his/her job . . . and is creating risk for the 
company.

>  Risk managment devolves
> onto the developers in most or all corporate development.

That may be.  That it does points to poor or non-existent corporate 
governance and risk management.

> Just like failing to acknowledge the tensions between aspects of
> "quality", saying that a "business owner" or "system owner" of
> a system should perform risk management, and the developer should
> not, denies the reality of most software development.  Holding such
> a position makes you part of the problem, not part of the solution.

I'd turn it the other way around.  The risk is *not* the developer's to 
manage.  It is the business/system owner's (whether he/she knows it or 
not.  If the organization suffers losses from the use of the system, it 
is not the developer who is accountable.  There is much more to the 
topic than I think you are aware.  It would be very hard to do the 
subject justice via the email channel, much less in one message.  If 
you'd like to pursue the topic, let me know off-list and we try it over 
the phone . . .

/g