Episode 19: Why All Companies Should “Shift Left”

Q&A

What does shift left mean, especially pertaining to organizations from different backgrounds and industries?

Sean: I think part of shifting left is around the software development practices. It focuses more on collaborative decision-making as well as customer satisfaction. Traditionally, companies focus on the waterfall method of development, which entails long integrations of development, followed by testing, then quality control, then launch, and finally come the bug fixes, updates etc. This linear trajectory essentially slows companies down as they move forward post launch. Now, the more digital companies, the ones that have shifted left, are combining all phases like development, testing and quality control into one phase.

How do you define risk in shift left and differentiate it from some other more agile concepts?

Dana: One of the biggest aspects of shift left is collaboration. Many of the companies we work with in various industries have so much expertise in different areas that you can miss out if you don’t collaborate and tap into it. The idea of shift left is to compress the timeframe, but if things like compliance, regulations, and framework are not considered early, that just creates more work on the backend and extends the overall time frame. Therefore, if the risk questions aren’t asked upfront, it’s going to eat into your ROI because now you have to go back, readdress potential concerns and go through that loop again. That’s why we make sure to introduce the idea of collaboration early, to ensure the right people are at the table and are introduced to the essential framework as early as possible. 

Moving to a shift left perspective entails an overall organizational change. Rick, as you work on operation expenses more closely, what are your thoughts on shift left?

Rick: While shift left must be embodied in your development and risk management practices, it starts as a design principle for the whole organization. When we work with companies who want to shift left, it begins with rethinking the way their technology organization operates. It’s an infrastructure change that requires changing mindsets of people to think about the strategic point of view rather than worrying so much about things like password resets. Shifting left means you’re not a break fix organization anymore. Rather, you are asking yourself questions like how do you get ahead of demand? How do you start being a partner with the business and producing solutions so that you are solving their problems with what is available in the stack already? Those are important questions that change the way people interact with one another. 

Sean, can you share your perspective on how some of the companies that have always been more digital (more left) are looking at companies that are starting to move left now? What are some differences between the more natively left companies vs. the newer left companies?

Sean: What I see with the Silicon Valley unicorns that are more natively left is that they will have incorporated unit testing to every bit of their code, automated testing across the board and100% coverage. They will have security testing implemented early in that process so that third-party components which may have vulnerabilities and could cause a breach are detected before that code ends up in the production environment. On the other hand, what I see with some of the more traditional non-digital companies is that the code has limited test coverage, which increases the likelihood of flaws entering that production environment. To make it worse is that there's nothing in their processes or their controls to detect vulnerabilities in the source code, which increases the likelihood of a cyber-attack. So, those stark differences really make a huge difference and are probably just the smallest mechanisms of or the early stages of going digital or shifting left. 

Dana, I'm curious what you're seeing more when it comes to the shift left in the highly regulated industry, that is financial services.

Dana: Actually, one of our big bank clients who I work on with risk asked us to help them get faster and compete with fintechs, with the caveat that there are regulations that they still need to ensure they meet. So, we conducted research on the companies that are far left, on their business model, matrix, the industry and the regulations, and found something to note. Not all industries can follow the same trends. For instance, an outage in a bank is far more significant than a Netflix outage. Ultimately, it’s all about researching not only financial services but also the specific company/bank because no two banks are the same. Our client still landed more left than they started. What I would say, though, is that what is allowing them to get faster is that culture and perspective of proactive risk. It's not about breaking something and fixing it later anymore. It's about getting ahead of the curve and saying, what are the risks? Can we proactively break it for ourselves up front before release or before we even get into any sort of true detailed design? It’s also about making sure we're asking the risk questions and having the right people up front. So for us, it's about finding that balance and making sure the tradeoff is appropriate for speed to risk.

As you work with different companies, what are your thoughts on where you've seen companies start as they're trying to shift left?

Sean: I think it's completely different depending upon the size of the organization, the age of the organization, and some of the processes and controls which are already ingrained in their teams. Every so often we'll see a small organization who wants to shift left execute the change quickly. However, it is far harder for a bigger company to shift left quickly, and driving this change must be done incrementally. I think that introduction of maybe smaller steps, greater unit test coverage, perhaps, as one thing, the software composition analysis as another, just adding those in help. Another variable is the kind of code a company works with. Additionally, leadership as a whole also had to be on board. Overall, there are numerous factors a company must think about as they think about shifting left.

Rick: First and foremost, you should be clear on your end goal. The bank that Dana and I worked with had a clear goal – to be compliant and competitive with fintechs. Once you’re clear, it’s also important to ensure everyone is aligned on the final goal and steps along the way. So, a general principle for shifting left is having a clear vision of where you’re going and understanding the gaps today, and then cultivating the ability to self-evaluate against their goal and operationalizing it all.