Software Configuration Management : Three Key Ingredients for Your Sanity

Introduction

From the very first days of programming, IT Managers have been concerned about managing the changes to mission-critical applications that drive their business. Now more than ever, IT teams are challenged to meet not only their own needs, but the rapidly evolving needs of the entire corporation they serve. Implementing a more formal process could mean the difference between corporate success and corporate failure over the next five years.

Yes! It is that important!

Quality software delivered on time and that works as requested is no longer an occasional miracle. It is now an absolute expectation that IT departments must meet every time. Savvy IT manager are increasingly adopting best-practices to improve their core business functions. They are also looking for tools to help them attain these goals without over-burdening their already maxed-out staff.

Today, we have matured these concerns into a formal discipline that many call Software Configuration Management or SCM for short. If you did an internet search of SCM, you would doubtless find dozens of web sites, white papers, even entire books on the topic. (See the side bar for a collection of some of my links).

The goal of this paper is much simpler: to introduce you to the basic concepts, to get you thinking about the ideals, and perhaps even to motivate you to investigate this powerful discipline further.

The Three Tenets of SCM

In its simplest form, SCM can be broken down into three core components: Process, Documentation and Security. The remainder of this paper will focus on two key aspects of each of those components. First of all, what are the attributes of this component? What makes it so important, so beneficial? Secondly, if you are looking for a software-based solution to help you meet these standards, what features and functions should you be looking for?

Process

From the cradle to the grave, human beings thrive on consistency. Any parent of a toddler will tell you how important it is to maintain a consistent routine. As adults, it is well-documented that our stress levels soar when our daily routines are significantly altered. Why is it, then, that we IT professionals endure so much chaos in our daily lives? How can we stop the madness and regain our sanity? The only way to break out of this chaotic, never-ending fire fighting mode is to first define, and then fully embrace, a formal process.

If you examine today’s most popular best-practice models such as CMMI, COBIT, and ITIL, you will find good process management at the heart each of them. Many industry regulations such as SOX and BASEL are based on one or more of these standards. For many companies, these laws suddenly elevate the need for a well-defined formal process from “would be nice if we had it” to “somebody goes to jail if we don’t have it”.

Why is a formal process so vital? Consistency and productivity.

When you create a process, you are outlining the precise steps for the successful completion of any business function. Taking the “road less traveled” made have made all the difference for poet Robert Frost, but it will most certainly mean disaster for you. Whether you are requisitioning a new PC or rolling out the next release of your mission-critical application, you have created a precise path getting you from start to finish.

Benefits of a Formal Process

• Increased Productivity. By making the process the same upon each iteration, you make it repeatable. By making it repeatable, people inherently become more efficient in navigating each step. Additionally, any new-comers to the process become productive much more quickly and with fewer mistakes. Taken together, these two benefits spawn even more benefits such as: increased job sharing, more efficient use of human resources, faster time-to-market, and a reduction in backlogs.
• Increased Consistency. Because you are performing each step along the path the same way each time, you are limiting the amount of variations to the process. This dramatically increases the consistency of the output of your process. There are fewer errors in the final result, and the result is much more likely to be as expected. This dynamic was proven years ago by W. Edward Deming, the founding father of Total Quality Management. (See appendix for more information on Deming and TQM).
• Increased Predictability. The formula here is so simple: Chaos = Unpredictability, Consistency = Predictability. It is this defined and enforced process that removes the chaos and replaces it with the consistency, which then leads to greater predictability. This means that everyone involved in the process intimately knows each step of the process from start to finish. Once the process begins, it is much easier to monitor its progress. You will know more quickly when the process stops, when it deviates and when it gets bogged down. The sooner you know, the sooner you can take corrective action to reduce the time lost and increase the accuracy of the final results.

Software Features Supporting Process

• Improving your Existing Process. If you have already established a formal process to manage your workflow, can the tool implement and enforce it? Will the tool make following your process easier, saving your team valuable time? Does it make the process repeatable?
• Creating a Process. If you have no process, can the tool help you create one? If you have a poor process, can the tool help you improve it? Is the vendor knowledgeable enough in process management techniques and best-practice methodologies to guide you?
• Complete Solution. Can the solution manage your entire process, helping you from start to finish? Will it adapt to your desired level of process compliance (e.g. SOX)?

Information Documentation

It has been said that a typical IT professional spends 10% of his day reading information but 40% of his day searching for that information. Said another way, data doesn’t become knowledge until you can get your hands on it (and your mind around it!).

Having defined and implemented your process, the next benefit of a more formal SCM process is that it collects informative data. In fact, the vast majority of this information is collected automatically in the form of process-based documentation. This elegant sounding term is simply this: as people push work through the process, the process documents the who, what, when, where, why and how of that work.

Benefits of Process-based Documentation

• Continuous improvements can be made to your process. The golden rule of Continuous Process Improvement is that you can’t improve what you can’t measure. Now you’ll have the measurements to pin-point what is working efficiently and what is not.
• Easier compliance with best-practice and auditing regulations. There isn’t much that makes auditors smile, but giving them stacks of reports about your activities really lights up their faces.
• Enhanced communication among teams and across teams. It doesn’t matter if you are a two person shop or if you have dozens of developers across many continents, people need information about what the other members of the team are working on. This information must constantly be kept up to date, must be easy to find, and must be easy to filter.
• Faster, more accurate determination of the health of a project. By the same token, project managers need current data, filtered views and meaningful reports to track the progress of work.
• Highly automated capture of data. Automated means the data is captured consistently and accurately every time. Automated means little or no human effort is required. This frees your staff to focus their energies on why they are there in the first place: to drive your business forward.

Software Features Supporting Documentation

• Information Capture. Look at the quality and quantity of the information captured. Can it be customized? Is it enough for your needs? For the needs of your team? Your auditors?
• Information Retrieval. Evaluate what takes to access this information. Remember, you’d like to spend somewhere less than 40% of your day gathering this knowledge. Look for features here such as ad-hoc filters to get just-in-time views, parameter driven graphical reports and logical displays with meaningful values and dashboard-type metrics.
• Information Automation. Evaluate the level of automation. How much human effort is required to capture the data you need? How much effort is required to keep the information up-to-the-minute up-to-date?

Security

Having a process is pointless if people can circumnavigate it. Have logged data is worthless if can be altered. While SCM security certainly means locking down your production source and objects, it also means controlling who does what, to what, when and how. In other words, security enforces the adherence to your established procedures. No more cowboys. No Wild Wild West. You need to set it tight, keep it tight and prove it’s tight.

Benefits of a Secured System

• Production control. You know that the source and objects in your production environment can only be changed via your established process. This gives you greater confidence that the master source in production matches the master object in production.
• Adherence to procedures. You know that your procedures are being followed because there is no other way to effect changes. This ensures that the changes that come out of your process are what you are expecting. It also ensures that you have the full documentation you need come audit time.

Software Features Supporting Security

• Ease of implementation and maintenance. Look for a tool that enables you to set security based on job types or roles, e.g. developer, manager, QA tester, implementer. Then associate the many individual users with these roles, only changing the default settings when absolutely necessary.
• Ability to fine tune. Each key step in your process should have at least a Y/N switch for each profile. Make sure your tool gives you all the security options per role that you will need not only today, but as far down the road as you can see.
• Integrate with other security lists. As much as possible, you’d like a tool that can tap into other security tools and lists that you are already maintaining, e.g. LDAP.
• Graphical or web-based access. This separates the user interface from the data and the platform, giving you platform independence, fast learning and ease of use.
• Effective reporting. You need to continuously monitor the effectiveness of your policy with easy to understand audit reports that show both the adherence of your security and the places where people are violating it.

Ease of Use

For those of you who are counting along, I promised three tenets and here is my fourth! As a SCM Sales Engineer of over ten years, I’ve given thousands of product walkthroughs. Someone during the call will usually ask me, “Is the product easy to use?” In fact, they ask it with such frequency that I felt compelled to add it here. However, in my opinion, it isn’t worthy quality for evaluation.

“Not worthy?” you say. “Isn’t ease of use important?”

Yes, of course. It is vitally important. It is so important that no product on the market today could exist if it was not truly “easy to use”. Next, ease of use is such a subjective term. What is easy to one user seems impossible to the next. Finally, during the evaluation stage, just how much of this can you determine? Your closest view is during the live demonstration and guess who is driving that? A seasoned Sales Engineer who knows the product like the back of his hand, can give you the demo in his sleep and is well trained to make the product look how? You guessed it! Easy to use.

So, save yourself some time. Don’t ask the vendor if it is easy to use. If you must have some rating on the product’s ease of use, find out some people that you trust that are using the product and ask them.