Crowdstruck, DORA, and the importance of being earnest!
rob gillespie
Information architect, content creator, tech writer, content digitalization lead and Web3.0 enthusiast!
The RCA will doubtless be bloody. The root cause of the debacle is moot, but irrelevant to my dialogue.
It is beyond even the powers of Socrates to successfully argue that a catastrophic blunder did not occur. However, it is somewhat simplistic to rush to diagnose the malady as a release error only. The pollution of live code with what can only be labeled as corporately endorsed malware is, I contend, but a symptom of a more malodorous corruption in the body collective.
Anyone who has worked in software development, even tangentially, in the last decade cannot claim to be ignorant of cavalier practices, oft justified by a need for cadence and to satisfy customer needs. Controls and safeguards are shunted aside on a whim, and policies and processes are left to gather dust, unread, and unloved. A deliberate misunderstanding has been fostered, a misreading of the Agile Manifesto duplicity justifying the dilution of good practice. Any claim that "Working software over comprehensive documentation" justifies the failure to create required content is at best duplicitous.
"Victory has a thousand fathers, but defeat is an orphan." (JFK)
Crowdstrike may have been the author of the most devastating cyber-attack in history. They will be rightly lambasted. A slapsticky comedy morphed with Monty Phythonesque profundity. They should not be pilloried alone. A veritable rogues gallery must take their place as co-accused.
It would not be the act of a frothing-at-the-mouth madman to assert that Agile development requires more rigorous documentation practices than waterfall. Technical content is nuanced and is not confined to user support and education.
A tentative and painfully inadequate overview:
Organizations require comprehensive policies and procedures. Every aspect of an organization's operation must be mapped, described, and explained.
Customers, regulators, and the world must be confident that policies are observed and that there are appropriate controls and quality gates to ensure a minimum expectation of performance and corporate responsibility.
An honest catalog of what you can and cannot do.
领英推荐
Security is a minimum expectation. Personal data is sacred. Where others rely on your offering, it must be sufficiently resilient to justify that reliance.
An appropriately detailed explanation of how a user might do what you promised can be done.
Who (tf) is DORA?
DORA (Digital Operations Resilience Act) is but one of a raft of legislative endeavors by the EU to regulate the digital economy. In light of the Crowdstrike, seemingly shockingly prescient. In a brief and grossly inadequate summary, DORA seeks to ensure that users can rely upon the resilience of digital services, a promise underpinned by defined requirements and practices.
I am not here to extol the virtues, or otherwise, of the legislation. On reading it, there was a powerful whiff of Back to the Future (without the DeLorean alas). DORA applies globally and should have profound implications for modern development practices. Anyone who has worked in technical content (or related specialisms such as UI and UX) can testify that organizations have dispensed with the services of many, quoting the need for agility to achieve cadence, the rise of AI, or the emergence of intuitive personalized user interfaces. Naturally, we should read operating profit or maximization of the ROI for (dark) angel investors.
My manifesto
It is our collective obligation to be earnest about espousing the need to establish and observe good practice- even when being earnest is unpopular.
Note
I do not claim to be a developer, tester, or scrum master. My errors are my own and I welcome correction for the greater good!