Why Governance Matters: The Key to Reducing Risk Without Slowing Down

Transcript

1. sarahwells.dev Why governance matters: the key to reducing risk without

   slowing down Sarah Wells

2. sarahwells.dev Why governance matters: the key to reducing risk without

   slowing down Sarah Wells

3. sarahwells.dev “Governance” has an image problem

4. sarahwells.dev

5. sarahwells.dev

6. sarahwells.dev

7. sarahwells.dev Change Advisory Boards

8. sarahwells.dev “a group that reviews, evaluates, and approves or rejects

   proposed changes”

9. sarahwells.dev

10. sarahwells.dev

11. sarahwells.dev “approval by an external body simply doesn’t work to

    increase the stability of production systems” Accelerate, Forsgren et al, 2018

12. sarahwells.dev “However, it certainly slows things down.” Accelerate, Forsgren et

    al, 2018

13. sarahwells.dev https://www.fca.org.uk/publications/multi-firm-reviews/implementing- technology-change

14. sarahwells.dev CABs approved 93% of major changes

15. sarahwells.dev “This raises questions over the effectiveness of CABs as

    an assurance mechanism”

16. sarahwells.dev What’s my point?

17. sarahwells.dev DORA Core, https://dora.dev/research

18. sarahwells.dev Effective teams are autonomous - which requires loose coupling

19. sarahwells.dev CAB groups don’t have the context

20. sarahwells.dev Catch issues through good observability

21. sarahwells.dev CABs were just one example

22. sarahwells.dev Making the case for governance

23. sarahwells.dev Salesloft Drift breach, August 2025

24. sarahwells.dev https://status.salesforce.com/generalmessages/20000217

25. sarahwells.dev https://cloud.google.com/blog/topics/threat-intelligence/data-theft- salesforce-instances-via-salesloft-drift

26. sarahwells.dev https://blog.cloudflare.com/response-to-salesloft-drift-incident/

27. sarahwells.dev Responding to this breach

28. sarahwells.dev Lots of AI FOMO

29. sarahwells.dev An incident involving many teams

30. sarahwells.dev Do you understand what data you have where?

31. sarahwells.dev Governance at Drift

32. sarahwells.dev https://trust.salesloft.com/? uid=Update+on+Mandiant+Drift+and+Salesloft+Application+Investigations

33. sarahwells.dev https://trust.salesloft.com/? uid=Update+on+Mandiant+Drift+and+Salesloft+Application+Investigations

34. sarahwells.dev https://trust.salesloft.com/? uid=Update+on+Mandiant+Drift+and+Salesloft+Application+Investigations

35. sarahwells.dev https://trust.salesloft.com/? uid=Update+on+Mandiant+Drift+and+Salesloft+Application+Investigations

36. sarahwells.dev https://trust.salesloft.com/? uid=Update+on+Mandiant+Drift+and+Salesloft+Application+Investigations

37. sarahwells.dev Supply chain attack on npm

38. sarahwells.dev https://www.aikido.dev/blog/npm-debug-and-chalk-packages- compromised

39. sarahwells.dev https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply- chain-compromise-impacting-npm-ecosystem

40. sarahwells.dev Responding to this breach

41. sarahwells.dev Does our code depend on any of the packages?

42. sarahwells.dev https://xkcd.com/2347/

43. sarahwells.dev https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply- chain-compromise-impacting-npm-ecosystem

44. sarahwells.dev https://semver.npmjs.com/

45. sarahwells.dev Did we pull down a compromised version?

46. sarahwells.dev Autonomous teams means you don’t know what’s going on

47. sarahwells.dev Poor governance costs you

48. sarahwells.dev Security issues

49. sarahwells.dev Unexpected costs

50. sarahwells.dev Impact on delivery

51. sarahwells.dev Investing time and effort in the wrong things

52. sarahwells.dev We do need governance!

53. sarahwells.dev “Governance” has an implementation problem

54. sarahwells.dev 43 documents you need to read

55. sarahwells.dev Let’s look at those DORA core capabilities again

56. sarahwells.dev DORA Core, https://dora.dev/research

57. sarahwells.dev Bring engineering skills to bear

58. sarahwells.dev Governance: a definition

59. sarahwells.dev (Software engineering governance)

60. sarahwells.dev The set of principles, practices and tools that help

    teams make consistent, informed and safe technical decisions

61. sarahwells.dev The set of principles, practices and tools that help

    teams make consistent, informed and safe technical decisions

62. sarahwells.dev The set of principles, practices and tools that help

    teams make consistent, informed and safe technical decisions

63. sarahwells.dev Good governance is not about saying “no”, it’s about

    saying “yes”, safely

64. sarahwells.dev Good governance allows organisations to move *faster*

65. sarahwells.dev The challenges

66. sarahwells.dev Engineers want to do the right thing

67. sarahwells.dev What IS the right thing?

68. sarahwells.dev Humans make mistakes

69. sarahwells.dev Do the tools and processes catch these mistakes?

70. sarahwells.dev People don’t magically get aligned

71. sarahwells.dev Henrik Kniberg: https://blog.crisp.se/2023/09/20/henrikkniberg/agile-intro- slides-from-my-kth-talk

72. sarahwells.dev Marcus Hamrin: https://medium.com/@hamrinmarcus/another-perspective- on-alignment-autonomy-fb3b2edd4a69

73. sarahwells.dev Henrik Kniberg: https://blog.crisp.se/wp-content/uploads/2016/08/Agile- Africa-keynote-Alignment-at-Scale.pdf

74. sarahwells.dev Modern software estates are complicated

75. sarahwells.dev Getting governance right

76. sarahwells.dev Foundations Guardrails Alignment Choices

77. sarahwells.dev Foundations: Know your software estate

78. sarahwells.dev Building your inventory

79. sarahwells.dev https://backstage.spotify.com/discover/backstage-101/

80. sarahwells.dev Start simple

81. sarahwells.dev https://www.infoq.com/presentations/productivity-ft/

82. sarahwells.dev The FT’s service catalogue model

83. sarahwells.dev Extending the graph

84. sarahwells.dev Getting the data

85. sarahwells.dev

86. sarahwells.dev The hardest stuff to find

87. sarahwells.dev Making the invisible visible

88. sarahwells.dev Track changes too

89. sarahwells.dev https://medium.com/ft-product-technology/the-advent- of-change-api-8dae0f95245e

90. sarahwells.dev What you get: ✓ Clear picture of current state

    ✓ An idea of where needs attention ✓ Basis for response - and for automation

91. sarahwells.dev Aligning technology decisions

92. sarahwells.dev Know the direction of travel

93. sarahwells.dev “Cloud only 2020”

94. sarahwells.dev Building on the strategy

95. sarahwells.dev https://www.thoughtworks.com/radar

96. sarahwells.dev https://www.thoughtworks.com/radar/byor

97. sarahwells.dev https://opensource.zalando.com/tech-radar/

98. sarahwells.dev Communication and knowledge sharing

99. sarahwells.dev https://github.com/joelparkerhenderson/architecture-decision-record/tree/ main/locales/en/examples/secrets-storage

100. sarahwells.dev What you get: ✓ People can make decisions ✓

     Less duplication of effort ✓ Fewer surprises

101. sarahwells.dev Making smart technology choices

102. sarahwells.dev The allure of shiny and new

103. sarahwells.dev The case for boring technology Dan McKinley: https://mcfunley.com/choose-boring-technology

104. sarahwells.dev When to break the boring rule

105. sarahwells.dev Developing a culture of thoughtful adoption

106. sarahwells.dev Innovation to support business outcomes

107. sarahwells.dev The impact on governance itself

108. sarahwells.dev What you get: ✓ Innovation in the right places

     ✓ Standardisation for everything else ✓ Plans, not chaos

109. sarahwells.dev Building guardrails that work

110. sarahwells.dev Guardrails vs policies vs standards

111. sarahwells.dev ✅ Policy A high-level statement of intent or principle,

     usually approved by leadership. Purpose: Explains what must be done and why Characteristics: • Broad, overarching, and strategic • Often technology-agnostic • Non-negotiable: everyone must follow it Example: “All production systems must be backed up daily and backups must be retained for at least 30 days.”

112. sarahwells.dev 📏 Standard A set of specific, detailed rules or

     requirements that operationalize the policy. Purpose: Explains how the policy is met, often with technical details. Characteristics: • More specific and measurable • Often define technical configurations, frequency, or thresholds • Can vary by environment or system Example (to support the backup policy): “All production databases must use vendor-supported snapshot backups scheduled at midnight UTC, with retention set to 35 days.”

113. sarahwells.dev 🛡 Guardrail A control that guides behaviour to keep

     it in line with policies or standards. Purpose: Keeps teams aligned to policies without needing constant manual review. Characteristics: • Often built into tools • Can be preventive (blocking unsafe changes) or detective (alerting on drift) • Balance: tight enough to protect, loose enough to allow innovation Example: “A spending alert that triggers when monthly spend exceeds 80% of the forecasted budget.”

114. sarahwells.dev ✅ In summary: What Example Policy High-level rule “All

     data must be encrypted at rest.” Standard Detailed, actionable requirement “Use AES-256 encryption for all databases.” Guardrail Check or control “Prevent deployment of storage without encryption enabled.”

115. sarahwells.dev Make the right thing the easy thing

116. sarahwells.dev The FT’s Engineering Checklist

117. sarahwells.dev

118. sarahwells.dev You needed to do this to spin up AWS

     resources

119. sarahwells.dev Build in flexibility for legitimate exceptions

120. sarahwells.dev

121. sarahwells.dev

122. sarahwells.dev Automation is your friend

123. sarahwells.dev What you get: ✓ Catch problems early ✓ Clarity

     of what good looks like ✓ Flexibility where needed

124. sarahwells.dev Conclusions

125. sarahwells.dev From bottleneck to enabler

126. sarahwells.dev Good governance is largely invisible to developers in their

     day- to-day work, manifesting as helpful automation, clear guidelines, and self-service tools that make the right choices the easy choices

127. sarahwells.dev Good governance is largely invisible to developers in their

     day- to-day work, manifesting as helpful automation, clear guidelines, and self-service tools that make the right choices the easy choices

128. sarahwells.dev Foundations Guardrails Alignment Choices

129. sarahwells.dev Available at the GOTO bookstore! https://sarahwells.dev