IT Briefcase Exclusive Interview: Why Software Flaws are Costing Companies Billions

By the time a CIO reaches out to Vincent Delaroche, CEO of CAST, it’s usually too late. CAST, which provides software quality measurement at the system level, works with enterprises to stop software outages – those inconvenient glitches that recently caused Delta Airlines to ground 2,000 flights. If Delaroche’s phone is ringing, a business somewhere has hit the panic button and needs help. In this interview with IT Briefcase, Delaroche discusses why the structural quality of software matters and why he’s still extremely passionate about the business he started 25 years ago.

• Q. Why is software quality one of the biggest risks for today’s enterprises?

A. It goes without saying that software is ubiquitous. It runs every business – from the back end to the front, and even our life – from our cars to emergency rooms. Businesses are now moving to further digitize operational and consumer-facing processes to make it easier to conduct transactions and provide services. This means more and more software driving business today. One bad coding pattern in any application can create a domino effect – setting off a chain reaction that shuts down an entire business. I always say the only thing more expensive than writing software, is writing bad software. The average cost of a mission-critical application failure is $500K PER HOUR. Delta’s glitch alone could cost tens of millions of dollars, not including damages to its brand, additional gas prices, worker overtime and technical repairs.

• Q. Why isn’t software quality top of mind for the C-Suite?

A. Herein lies the dilemma. Structural quality of software is rarely examined by CIOs. And for most CIOs, “software quality” means the same as “functional quality”. The structural quality, which includes what’s inside the box and the engineering parts, is seen as too technical for C-level executives. Therefore, the responsibility for coding and architectural quality usually lies at the Project Manager or Director level. So, until a software glitch causes outages that impact the business, executives usually allow quality issues to go unnoticed. By the time the business needs to have someone look at structural quality, they are already in trouble – the victim of a data breach or system-wide shutdown. The typical C-level response in this case is urgent, tactical and reactive. Many fail to be concerned about the technology risk exposure of the business to bad or poorly written software. Glossing over the true root problem only sets their organization up for future risk and potentially more extreme scenarios. This mindset is slowly changing as CAST is putting the issue front and center for chief executives. Every CIO must know their risk exposure and be able to evaluate software risks on an ongoing basis, or the integrity of the company is at stake.

• Q. What needs to happen to change this perception?

A. You can’t manage what you don’t see. CIOs must have access to software analytics related to the business that are standardized and easy to understand (e.g. CISQ standards). Having this will help institute stronger quality standards from the top-down in their organizations. Developer and software engineering teams are often caught between a rock and a hard place, required to maintain fast-paced development cycles that deliver products to market quickly but don’t allow sufficient time for true software engineering quality. It becomes a BLIND trade-off between time-to-market and delivering quality software for the business. Software development is a game of the 10% vs. the 90%. It’s well known that it is only 10% of the bad software patterns that generate 90% of the outages and problems. So while the risk may be “low,” it can have quite a significant impact on the business, and it’s something CIOs and other executives need to understand.

• Q. How does a business measure software risk?

A. The first step to effectively measuring software risk is setting a performance benchmark for your mission-critical applications. Establishing a baseline reading of your performance is essential to setting goals for improvement and measuring your success toward that goal. At CAST, we measure software against the five characteristics promoted by CISQ, a consortium backed by the SEI and OMG: Robustness, Efficiency, Security and Maintainability (which we now break down between Changeability and Transferability). These characteristics signify overall application structural health and should illuminate how well your organization can adjust to the stresses of modern business. At the portfolio level, it’s also a good idea to look at any modernization initiatives you’re taking on as a company – are you moving to a cloud environment? Are you building new applications to support IoT offerings? These projects can change how existing systems interact with each other and open up your organization to increased risk. Having accurate and detailed analytics for your business applications contributes to greater management efficacy and real productivity measurement. These are the hard facts that can’t be argued with in the boardroom.

• Q. What do you tell CIOs when you get them in a room?

A. I ask them if they enjoy the feeling of driving blind and invite them to get a hold of their true risk exposure. The riskiest applications can usually be fixed rather inexpensively, but that cost can more than quadruple after they blow up in your face. This is good news because you don’t need to spend hundreds of millions of dollars to fix the problem, but it can get tricky because the devil is in the details to catch these quality issues before they become full-blown problems. I also encourage CIOs to be more communicative with their executive colleagues. If they arm themselves with software performance data, they can translate that into business intelligence that will not only enable better development practices but help save the company money. It’s important for CIOs to stick to their guns. For example, everything is about micro-services right now. It’s dangerous because it’s the trendy thing to follow in Netflix and Amazon’s footsteps, but their method doesn’t necessarily work well in all environments, for all sort of applications. Finally, I always reinforce the very basic management principle that what gets measure gets improved. Developers and suppliers should fully understand the engineering quality of what’s being maintained and created – often times the very things C-level folks at the top floors know very little about. When top management starts to measure, this has a huge and immediate behavioral impact.

• Q. You founded CAST 25 years ago, what has changed from then to now?

A. I founded CAST on the premise that we need to make the invisible visible. I felt software engineering and software development were very obscure and difficult to ‘see, touch and feel’ for managers and even for developers when facing big and complex systems that no “brain” on earth can understand completely. As the world continues to digitise, software must be more tangible and objective for developers, architects, IT executives and business leaders. The inspiration and vision for CAST has always been to give transparent insights that transform the way business is done. Sunshine is the best disinfectant. Clarity, accountability and measurement are the founding pillars of higher productivity. It’s written all over the place, from Harvard to Stanford. Not much has changed except that we have much more complexity in systems today. We are now at the tipping point. Every week there is an issue with resiliency, etc. We’re starting to see more smart business people who wish to assess their risk exposure and see if they can mitigate or prevent the most crucial risks like big system outages. That’s our specialty, what we’re good at. In the last six or seven years, we’ve seen lots of demand for security but limited demand for software efficiency, resiliency and data integrity – signifying our obsession with instant end user satisfaction. Now we are starting to see some demand for proactive software measurement.

• Q. What are the top three things you have learned on the journey from entrepreneur to seasoned CEO?

A. First, the importance of passion and long-term focus. This is still a business I am extremely enthusiastic about, and I have surrounded myself with not just people that I want to work with but who are equally as devoted to the cause. This is a mission for most of us, not just a job. I’ve always been focused on the purpose, not appeasing investors or cashing out. Secondly, continuing innovation. We invest significantly in R&D. We’ve put over $140million into our software analysis and measurement platforms – and annually that’s a significant portion of our revenue. Lastly, to maximise growth potential, you must establish strong relationships with long-term customers. This is a big challenge for start-ups but those first, critical customer wins are vital to continue growing and not become one of the many businesses that fail to reach its second year of existence. CAST has many Fortune 1000 companies on our client list, and most of those have been with us for ten years or more. You can’t be a flash in the pan and keep names like that on your roster.

• Q. What is your prediction for the software industry in the next 5 years?

A. Disruptive technologies are certainly going to become more of a reality. The Internet of Things is very real and we will see more progress in automation of functions and the expansion of the supply chain. With all of these additional touchpoints comes more and more software and so more chances for poorly engineered software. So the structural quality of software will have to become a major concern for anyone doing complex business. I think certification for quality that include the standards set forth by CISQ will be commonplace, maybe even required. Imagine software being stamped to ensure it is of the best quality – like the equivalent of USDA certifications.

Software engineering quality is certainly reaching its defining moment, and CAST will continue to be along for the ride and lead the standardization of measurement – especially for IT executives plagued with 20/20 hindsight. CIOs often say to me after a big outage or breach, “if I had seen those analytics earlier, I would have ordered a technical audit of the system, and we would have prevented it.” Once again, you can’t manage what you don’t measure.

Vincent Delaroche is the Chairman and CEO of CAST. A passionate entrepreneur and industry thought leader, Delaroche founded CAST in 1991 with the vision that software development could no longer be viewed as an obscure art but rather a performance-driven profession. In CAST, he is building a long-term venture, faithful to his team, clients, partners and shareholders, to introduce what he calls a “yardstick for measuring software.” Native to France, Delaroche now runs the company from New York. Vincent holds degrees in Computer Science and Mechanical Engineering.