By John Favazza, Vice President of Research and Development, WebLayers, Inc.
Editor's Note: Be sure to sign up for our upcoming SOA in Action
Virtual Conference where we'll cover this topic in greater detail. Sign up right
You wouldn't drive a car without insurance nor would you skydive without assurance
that your parachute will open. So why is it that governance is still considered
an afterthought in many IT shops when it can dramatically mitigate the business
risks resulting from policy violations?
There are several reasons, or excuses, as to why governance sometimes takes
a back seat in the overall IT strategy. It's usually due to a combination
of culture and software development processes that view governance as the step
to take when things go awry or as a time consuming and unnecessary extra layer
that results in product delays.
This is not to say that governance as a whole is not viewed by many as a critical
part of the software development lifecycle. In many instances, architects
and developers think about governance as something that should be applied only
to the development of specific applications of services and not the entire infrastructure.
And let's face it, there's a growing contingency of "once bitten, twice
shy" architects and developers who have learned the hard way that partial
governance is as effective as half an umbrella in a rainstorm.
However, when you think about the way that the infrastructure is evolving --
supporting service oriented architectures, cloud computing and mainframe modernization
-- you quickly realize that code that was originally intended to support one
aspect of the infrastructure is being reused by different teams throughout the
This leads to a proliferation of applications and services that go beyond their
original silos. On the plus side, this is a time saver because the best
practices are being shared. On the minus side, of course, is the risk that the
reused services contain errors. This is likely due to the fact that as
the applications and services continue to be tweaked to address specific business
needs, they become vulnerable to more coding errors.
Without visibility into the entire infrastructure, you run the risk of distributing
what initially seem like minor errors. Yet these small bugs can grow into
bigger business issues.
Consider the recent programming error that led to a 23 quadrillion dollar credit
card charge for a package of cigarettes. While quickly corrected, it calls
into question the level of visibility into and the cohesiveness of the entire
With this in mind, it's interesting to note that that cost of fixing software
code after it's been deployed can be 50-200 times higher than if the issues
were addressed as the code was being written.
Along these lines, given the amount of resources that companies have invested
in creating a fully integrated architecture, you have to wonder why the conversations
about breaking down silos are still topical. Again, the culture may contribute
to the lack of integration throughout the enterprise though in large part it
reflects the larger issue regarding the way that software is developed and deployed.
It stands to reason that if the services and applications are going to be distributed
throughout the infrastructure, so should governance. To mitigate risks and extinguish
the misperception that governance adds work, it makes sense to introduce it
as part of the development process as opposed to a checks and balances mechanism
to be deployed when the application is in final review stages.
Through distributed governance, enterprises can put into place the policies
and best practices that should be followed as the software continues to evolve
and serve different parts of the organization whether it's an SOA, cloud or
any major IT architecture.
About the Author
John Favazza is vice president of research and development at WebLayers. Prior to WebLayers, Favazza held senior management positions spanning engineering, research and development for leading enterprise software vendors focused on SOA, web services security, and management and threat prevention products.