The biggest lesson learned from the Equifax breach is that executives and application owners need a software risk scorecard that clearly outlines KPIs around software structural quality and security.
My wife has more degrees than I do but she certainly is not a technorati. So when I accompanied her to the cellular phone store to pick out a new phone I was floored when I heard her talking about 4G with the sales guy. I’ve been in marketing for 20 years and, for most of that time, involved in high tech, complex sales marketing. We spend a lot of time and effort trying to simplify our marketing messages: elevator pitches, unique selling propositions, user scenarios, personas, sales decks, and PR briefing kits all designed to be concise and focus on pain-based messaging.
How the hell do the phone companies get away with marketing 4G as a differentiator? If I tried to use the platform our software runs on as a differentiator, I would be laughed at and probably unemployed.
So how do these marketers get away with it?
A highly competitive market that is mature is sometimes called a “Red Ocean.” In this market scenario, providers are fighting over small gains in market share with offerings that are very similar. A phone is a phone. If one phone comes out with a new feature or app, in a very short time, all the other phones will have that feature and app. It’s difficult to maintain the value justification for any price difference. When the U.S. was on 3G, 4G was that discriminator. Marketers needed to differentiate, so 4G became a status symbol: “Oh, your phone is 3G? Oh my!”
I should stop picking on the phone people because this holds true for many products in many industries. One that drives me crazy as much as 4G is security. The information security industry — along with the media — have done a great job scaring the crap out of everyone. I attribute this to the fact that the Cold War intelligence community, having been downsized by the U.S. Federal government, needed to find new buyers for their skills. So, go scare the commercial space and open up a consulting practice. Yipee!
Now, I’m not saying that security isn’t important – it is — but as Melinda Ballou from IDC explains in her recent Software Quality Analysis and Measurement report, security is part of a larger quality management effort. According to Ballou, security is about 20 percent of the quality management effort, but areas such as architecture analysis, quality metrics/measurement, application portfolio analysis and code analysis are equally as important in ensuring quality products for your customers.
So how come these other areas aren’t as talked about? Have you seen any Wall Street Journal articles lately on code analysis or quality metrics? In truth you have. Take a look at the #ITFAIL summary for 2011. I’m sure you have heard of some, if not most, of these very public events. Failure to approach quality management from a holistic perspective makes you vulnerable in one, if not more, of the areas I mentioned above.
To be sure, one differentiator that has held up over the test of time is quality. Just like 4G, security is important part of a quality product and customer satisfaction — but it certainly isn’t the only thing.
I can’t wait for the day when my wife says “We really need a SQL Injection tool!”