Compliance Coaching for the Delivery Teams
I can understand why delivery teams would seem overwhelmed by the volume and think that it's a hindrance in delivering software solutions in a modern way. One way to enable the delivery teams with security and compliance know-how is to have them supported by a Compliance Coach.
The list of compliance requirements for delivery teams delivering to the EU market seems to be ever-growing. There's a Cyber Resilience Act, a Financial Systems Act, a web accessibility act and even an extended EU (digital) product liability act. The business drivers for following these acts are both with regards to being compliant (and hence in business in the first place), avoiding the fines and also the key message of having updated systems of great quality. All these improvements are a kind of insurance for avoiding fines and the systems breaking in the first place.
I can understand why delivery teams would seem overwhelmed by the volume and think that it's a hindrance in delivering software solutions in a modern way. The biggest challenge is though to understand that this has already been solved. Also for modern development practices and also for highly regulated environments.
Charity Majors: Case Studies: Modern Development Practices In Highly Regulated Environments (Speakerdeck 2023)
Compliance Coaching
What we are looking for is a way for the security and compliance (and testing) activities not to be blockers and bottlenecks for the delivery teams, but to support and enable the deliveries in a non-blocking way.
One way to enable the delivery teams with security and compliance know-how is to have them supported by a Compliance Coach. A role or a function, not necessarily a full-time employee. Similar to Agile Coaches (Quality coaches and all the other forms of coaches) the key role of the technical coach, is not to integrate into the team but to build capabilities in the team and then get out of there.
Podcast Episode 116 โ Single Points of Failure
The key here is to avoid creating bottlenecks and single points of failure in the delivery team. The delivery team can be supported by coaches and services from other teams. Similar to having smarter compliance conversations it's about designing the organization for fast and quality deliverables.
To Author Archive
Problems of Imagination
The key conversation is not to say that they have a low CMMi maturity score - it is what it is. The state of the nation is the best the team can do. Things are the way they are because they got that way. It's first of all a problem of imagination secondly of know-how and last a willingness to change.
I know models like this can be provocative "it would never work for us" or seem academic; agile coaches are anti-pattern of organizational overhead. That's ok, it's a model. Like a map, it's better to have any map, than no map at all.
A compliance coach with a focus on enabling a team could help any team document compliance requirements (controls), designing ways to automate and verify the implementations in collaboration with other coaching functions.
