Executives pay a lot of attention to resilience. That’s sensible given the frequency of localized acts of nature, accidents and technological or attack-related emergencies. You can’t allow disruptions to break things. Resilience goes by many names: continuity of operations, disaster recovery, risk management, business continuity, disaster preparedness. Regardless of the name, the goal is simple – ensure that mission-essential functions continue to be performed. That’s good, but it’s not good enough. Here’s why.
The pace of change in the world is relentless. We see — and will inevitably continue to see — collisions…the 2nd and 3rd order consequences of new & old technologies bumping against one another. The daily accumulation of these collisions produces the same level of stresses that emergencies do. Which means resilience is not enough.
The book Antifragile: Things that Gain from Disorder argues that the opposite of fragility is not robustness, but antifragility. Antifragile systems actually benefit from chaos, shocks and change. For example, biological systems actively benefit from shocks and change — stress wood forms when part of a plant is subjected to mechanical stress like wind. Without stress wood, a tree can grow quickly, but it cannot support itself fully. It will collapse. Similarly, our bones and muscles are made stronger by the stress of weight-bearing exercise.
In my viewpoint, the goal of 21st century organizations is not just to be robust in the face of unexpected and undesired shocks (the conventional resilience perspective), but to be antifragile — to get stronger from expected and unexpected change. This means getting better at three things:
1. sensing — If you know what’s coming — both opportunity and threat — you simply have more runway to exploit it. This presupposes having the skills and knowledge to understand and evaluate what’s coming. Experimentation — consciously and continuously launching numerous small experiments in the real world (not the lab) — is a powerful technique for sensing.
2. choosing — In highly complex, chaotic times, the number of choices and the amount of VUCA (volatility, uncertainty, complexity, ambiguity) surrounding those choices are unlimited. You have to continually make smart, strategic choices, even in foggy conditions. Disciplines like value-based management, combined with more sophisticated overlays such as scenario planning and option valuation, can help you be more antifragile in the face of change.
3. changing — Working on your ability to change is a powerful tool in the quest for antifragility. But it’s easier said than done. Mastering change requires a whole host of disciplines, including agile methodologies, collaboration, transparency and fluid organizational structures. But perhaps most important is a culture of change. How much change can your organization handle? Do you explicitly assess and reward people for embracing change?
If you implement too little change, you will get left behind by rapid shifts in citizen expectations (on the demand side) and the IT industry (on the supply side). By contrast, the more change you implement, the more change you can implement. It’s like healthy lifestyles; the more you exercise the more you can exercise. If you want to win in the 21st century, don’t just strive to be resilient. Strive to be antifragile. Embrace change and action over stability and inaction.
Let’s not overlook the fact it’s harder to hit a moving target. That means Pivot Speed is a useful benchmark for antifragility. The faster you can revector and keep moving, the more antifragile you are. With that in mind, here’s some practical advice on antifragility for Tech Executives:
“You need to have pivot speed so you can change faster than the adversary.”
Hon. James Hondo Geurts, Acting Under Secretary of the Navy
Address to the 2021 Navy Forum
There are going to be slip-ups. There are always slip-ups. A solution will go into production but fail to operate. Or an upgrade will go live but cause a problem. How do government Tech professionals defend against slip-ups? They often try to make IT services robust, standing strong in the face of disruptive change. Unfortunately, these good intentions have evolved into counter-productive IT orthodoxies. Here are a few examples of common practices it’s time to eradicate:
N-1 is the philosophy of never deploying the latest release (sometimes called ‘N’) of a software product. Instead, they delay deployment until the release has been superseded by a later release, and often one or more service packs. Security vulnerabilities go unfixed. The organization’s users are starved for the latest features and functions. The organization’s performance suffers accordingly.
Freeze Periods designate certain times of the year as “too critical” to permit IT changes to go into production. Over time, the freeze periods take up more and more of the calendar until eventually no changes can be implemented at all. The organization gradually falls behind the pace of change in the environment.
Change Control Boards impose increasingly long lists of reviews and schedule constraints. The change process takes more and more time, mostly involving humans checking that other humans filled in forms correctly, rather than checking that the right changes are being made. Change Control Boards are often better Change Prevention Boards.
“Our change control process has left us two years behind on patches. We’re actually more vulnerable because of our compliance processes, not less.”
– A Federal Government CIO
Architecture Standards and Guidelines attempt to provide guardrails for technical compatibility in pursuit of “backward compatibility” but all too often raise barriers to the introduction of new technology. In the worst cases, the Enterprise Architecture team becomes known as the Department of No.
All of these techniques started out as well-meaning attempts to avoid risk, but they actually ended up increasing risk. Let’s work to replace them with modern DevSecOps best practices from the commercial sector.