Lets spare a thought .. What is the Security Infrastructure of any software development company trying to safe guard ..

As a Trainer, I happen to visit a different software company every 3 days or every 5 days and each time I visit a software company the first thing I encounter is the "Elaborate security infrastructure" of that company. Wherein one can encounter numerous security guards, barricades, procedures , policies , scanners, access controls , cameras etc etc. Some companies have reasonable security systems in place while there are companies which are very finicky about the security wherein the security is as tight as the security at the airports with x ray machines, physical frisking along with a lot of items including media items being barred.

In a nutshell software development companies invest heavily in the "Security Infrastructure" of the company.

On the outset …… Although the visitor faces a bit of inconvenience the first impression that a visitor gets is "Wow" ..he feels that he is now entering something which is a very special pace wherein the company is developing or creating something which is very special with a lot of trade secrets to be protected .

But every time I come across this elaborate security infrastructure I get a bit confused and I ask myself this question …. Do we really need such an elaborate security infrastructure for a software development company and what are we trying to safe guard ?

As I teach system designing to most of the software engineers … one of the basic principles that we teach is ..

"Security of any system can be increased by increasing the level of indirections within the system wherein more the number of indirections more secure you system is but on the other hand every level of indirection while increasing the security reduces the performance by the same factor (or increases the response time by the same factor)" . Or Performance and Security are inversely proportional to each other.

Hence we always suggest the participants to be very judicious while dealing with security as every initiative of increasing the security of the system will definitely have a negative impact on the performance of the system.

For example … there are some software development companies in India wherein a person can take almost 40 to 45 minutes just to reach the intended place within the company (for me it’s the training room). Consider the fact every door or every entrance has security guards and access controls.

Now the question is …. Is this level of security justifiable ?

The answer is pretty simple …

If security is of paramount importance and performance is not a critical aspect for the company then this elaborate security infrastructure makes sense.

But now consider the following facts and then try asking this question …

"What is this elaborate security infrastructure safe guarding ?"

Any one who is part of a software development company will be able to understand the facts that I am trying to put across..

Do u agree that in most of the projects in this industry usage of UML or standardized modeling is virtually non existent ?

I hope you will agree that in most of the projects in this industry … documentation is very minimal and standardized models like UML models are virtually non existent wherein most of the project members deal with code and understand their project in terms of code. And most of the time the code is poorly commented as well.

(Just to share with you in the past 6 years I have been repeatedly asking this question to most of my participants (more than 10-15 years of experience) and off line they all confess that the above mentioned fact is indeed true )

Within minimal documentation and virtually non existent UML models the result is the entire domain knowledge about the project and its corresponding solutions is actually stored in the brains of the individual engineers working on different parts of systems.

With this do you think all your project members have a same understanding about different aspects of your project? Think about it with no common model representing the problems and the solutions …. Is it possible for all project members in the project to have a similar understanding but their project?

My experience in system modeling shows … across the project members 60 % of the understanding of the project across project members can be common but for the remaining 40% each of the project members will/can have a different understanding for the same project.

Question is … Is this acceptable?

Ask yourself this question …. Whenever a new engineer joins a project how much time does he need to get hold of what’s going in the project ? Using my experience I can say with minimal documentation and virtually no standardized models and minimum comments in the code… the only way is to make this new guy sit with different project members so that individual team members can share their understanding about the subsystem that they are working on and this is how this new member gains an understanding of this system.

And how much time this will take?

For a mid size complex system it can easily take atleast 1 to 1.5 years for this new member to get some substantial understanding of the overall system [I am not talking about a small module of a system] to start contributing at that level.

As one can see learning curve is very steep in arrangements like this.

Also as the knowledge of the project is stored in the brains of the engineers … ask your self if an engineer leaves the company … don’t you think he is taking the precious domain knowledge [problem and solution] long with him. And I hope for any IT company [be it product based or service based the actual property is the knowledge or Information unlike the conventional industries wherein you deal with physical systems].

Question is can the software industry afford losing out the critical asset of the company just because an employee is leaving his job and they are so helpless that they cannot secure that knowledge with them.

Although there is Knowledge Transfer … wherein the companies ask the leaving member to transfer his knowledge … but most of the time it is done on a very casual basis wherein it depends on the discretion of the leaving member to decide what to disclose and how much to disclose and second even if he is doing it in the right way …. Are we not transferring knowledge from one engineer’s brain (memory) to the next engineers brain (memory) like the way we transfer data from one memory stick to the next one. Lets ask this questions … is this engineering?

For service based software companies it might not be a very severe hit if the company looses this information … but I feel it can be a big hit for a product based software development company.

And it is not that the software development companies are not investing money on security and it is not that they don’t understand the importance of security … almost all of these software companies are spending a huge amount of money on the security infrastructure and security policies. There are security gaurds on almost every door along with access control systems installed on every doors. Apart from that there are video cameras etc. There are security policies like what a person can carry … what are the rules …. Any storage device should be declared or prohibited … in some companies the security is as tight as a security at the airport wherein there are X Ray Scanners for both employees , visitors and their luggage.

My point is what are we safe guarding by controlling who is going where and which hardware device [like memory sticks, cameras etc] that he is carrying. The most precious asset of these companies is actually stored in the brain (memory) of its engineers…… which these devices cannot interface with……

Ideally an engineering company will have a lot of documents and engineering diagrams which are very precious to any engineering company …. Let us understand no engineering company is trying to safeguard the resultant system being created ie the code of the software system in this case which anyways the users will get …. They are actually safe guarding their knowledge which goes in creating this system.

In the software development industry with minimal document and virtually non existent standardized model that is nothing in the company worth carrying ….. what will the person do with a code when he can be easily caught. And even if he is able to take the code along with him … with minimal comments, the code is nearly useless. And how can a visitor or an external person access your code wherein most of the systems are protected by authentication details.

I come across numerous cases where in the company gets a maintenance project wherein all the customer gives him is a huge glut of code (which was written by some developers from some company) with minimum documentation and models and the development team takes years to understand why certain things are done in a particular way. I am sure most of people who have worked on maintenance systems would have encountered this situation in their project.

There are some software development companies wherein "Cameras" or Mobile Phone with cameras are not allowed. My question is what is there within a software development company that is worth clicking.

And how can this security set up control the knowledge stored within the brain of the engineers …. They keep moving in and out of the company through the same security scanners how do they ensure that outside the company they don’t share this information with any other person.

In a nutshell the actual asset of any software development company is in a form that it cannot be secured and safe guarded …… and most of the security systems in place are not capable of addressing this problem.

I do agree that one would need a great level of security for a call center or for a BPO or a KPO wherein the customer specific data needs to be safe guarded at all costs and I do agree that highest level of security is also needed for engineering company wherein a lot of intellectual property or knowledge needs to be safe guarded.

I also do agree that highest level of security is needed for a software development company as well to guard their intellectual property /knowledge (ie the knowledge about the problem domain and the solutions) but not before they get their engineering process and teams in order wherein they are able to structure, manage and safe guard their most important asset.

My only concern with Software Development Companies is …. Although they present themselves as engineering companies unfortunately their engineering processes are so immature that they are not capable of managing and storing and safe guarding their intellectual knowledge / property which is the most important asset of any engineering company.

As pointed out earlier … it is not because of the incapability of the security agencies or teams but it is because of the lack of modeling or engineering expertise of the engineering teams which no engineering team or a software development company will ever accept.

To me (as a person with expertise in systems analysis and design) it looks that this entire security infrastructure is merely a façade which is actually build for the customer so that the customers feels secure that his system is in the safe hands of the software development company.

I sincerely hope that the software development companies realize that if they invest a fraction of the amount of what they are spending on security infrastructure on developing the engineering / modeling skills of the development teams …These problem can be addressed at its root.

Hemant Jha
Founder - VPlanSolutions
Researcher, Trainer