Who Should Be Testing? New Considerations after Security Breaches
Debates often arise when people start talking about where a particular IT function should be performed. It’s essentially the IT equivalent of talking politics or religion.
It brings out many opinions—about not only where and who should perform the work but also how the teams should be structured. Then add in the centralized-versus-decentralized approach along with the agile methodology, and the debate really heats up.
This is not a new topic, but I want to think of it from the perspective of who has the knowledge needed to most optimally perform the testing function.
Arguments often center around what the lowest cost option is, as if testing were merely a necessary evil and should be performed with the least impact to revenue. But when not done properly, it can cause huge negative exposure for organizations and expenses that far outweigh the preventative costs.
Within the past year major retailers like Target and Home Depot have had significant issues in security testing and breaches that will cost each of them hundreds of millions of dollars to remedy. Some even say Target’s tab could be more than a billion dollars.
What I advocate to all executives—especially at a time when breaches in security can proliferate so quickly and severely tarnish a corporate image—is the adage “An ounce of prevention is worth a pound of cure.” C-level executives need to take a serious look at ensuring that a proper strategy is in place for security, performance, functional, UX, and other types of testing. As part of that strategy, I encourage them to understand who has the appropriate knowledge to think through and prevent potential breaches. Contextual relevance and skill set, rather than cost, are the core factors that I use to determine who should perform the testing.
For example, if you grew up in India, big-box retail stores would be hard to find; if you grew up in the United States, they exist in every state. When you talk about understanding the business model and implications of application use, especially directly to the consumer, it would make sense to consider having a portion of that testing done by people who have contextual relevance in that type of big-box niche retail.
Executives should consider what we have recently seen with Home Depot and Target and discuss with managers what their testing strategy is—not purely in terms of cost, but in terms of what is relevant to protecting and ensuring your brand stability with your customer base. Big retailers and brands may have the ability to weather the damage caused by security breaches, but small- and medium-sized businesses generally aren’t as fortunate.
Jennifer Bonine is presenting the tutorials What’s Your Leadership IQ? and Innovation Thinking: Evolve and Expand Your Capabilities at STARWEST, in Anaheim, CA, October 12–17, 2014.