‘Enterprise Grade’ Lessons from #Snapchat Governance Failure

Governance LessonFrom smartphones to tablets, game consoles to smart TVs, consumers are becoming more informed about information technologies, and are driving businesses to deliver increasingly sophisticated social, mobile, and cloud applications.

This ‘consumerization of IT’ also means business users – who are all technology consumers – are choosing their own solutions for work, adopting consumer-oriented services like Gmail, iCloud, Dropbox, or Evernote.

And cloud services like DigitalOcean.

And social sharing apps like Snapchat.

I recently wrote about how Snapchat leaked millions of users’ phone numbers while DigitalOcean exposed customer stored data between clients. Yet people still wonder what ‘enterprise-grade’ means; and why all businesses do not just use ‘consumer-grade’ services. But there are real reasons why large, risk-averse, businesses are wary of consumer-focused technologies, and why pundits are wary of recommending them.

At least one reason why enterprise-grade still matters is that private tech start-ups typically do not focus on the governance drivers and constraints that larger enterprises need. And it shows.

For example:

With young leaders and staff, start-ups often do not have institutional knowledge of fundamental governance
  • Start-ups are not public entities, so at least until their IPO they are not governed by Sarbanes-Oxley, Fair Disclosure, or other SEC-governed regulations
  • New businesses are often in new industries – or even creating them from scratch – so they aren’t covered by ‘legacy’ industry regulations like HIPAA or FISMA
  • Some avoid federal oversight by challenging rulings (cf. 23andMe); skirt around it with cursory TOS clauses (cf. Vine); or simply violate regulations and pay later (cf. Path)
  • Many are free to consumers, or use third party payment services like PayPal or Amazon Payments, thereby avoiding payment-related mandates like PCI-DSS
  • Huddling with peers in Silicon Valley limits exposure to regional regulations from Nevada to Massachusetts, let alone international regulations, or global best practices
  • When they do grow into new markets, they may fail to comply with newly relevant regulations (cf. Illinois vs. Square), even after prior examples (cf. Louisiana vs. Paypal)
  • As new entities with young principals, they may never have been exposed to the joys of US Federal records management regulations or Rules of Civil Procedure
  • Indeed, with young leaders and staff, they often do not have any institutional knowledge of fundamental governance (and in many ways, good for them!)
Governance is non-optional in enterprise development

This is one clear difference between consumer-driven and enterprise-grade development. As I wrote in my last post, consumer-driven development focuses more on customer requirements for “convenience, ease of use, mobility, low cost, rapid updates, and cool interfaces”. This focus is important for rapidly building new markets for new products, especially in the world of agile development and devops. Meanwhile they put governance requirements on the backburner, and consumers do not seem to care. Conversely, governance is non-optional in enterprise development, which is often at pains to follow strict policies and procedures, even at the expense of cost, speed, or ease-of-use.

The same goes for enterprise-grade performance and availability. Very few tech start-ups focus upfront on resilience as a competitive requirement, with Netflix and its Simian Army the most notable exception. More typical of a tech start-up is Twitter’s long-term battle with its infamous ‘fail whale‘, an iconic symbol of Twitter’s lack of focus on back-end requirements throughout its earlier days (a symbol Twitter has only recently retired).

Both Snapchat and DigitalOcean serve as object lessons to the meaning of enterprise-grade. The explosion of the API economy has created new exposures, which many young ventures are struggling with. However for most enterprises these exposures are both known and solved. Enterprise-grade API governance to prevent data leakage can be implemented in process or with off-the-shelf solutions. Functional isolation, acceptance testing, and disciplined change control can ensure changes to existing code are vetted, understood, and communicated. Such practices can easily make APIs available and secure, simply and easily, only for legitimate users.

Both Snapchat and DigitalOcean serve as object lessons to the meaning of ‘enterprise-grade’

I would not try to define enterprise-grade in totality. Perhaps it is like obscenity – you know it when you see it. However, enterprise-grade in part means a structural focus on governance, institutional knowledge of ‘known good processes’, and a dedication to protecting consumer and other confidential information, even over profit, convenience, features, and speed.

Of course, not all start-ups are ignorant of governance, just as not all enterprises are perfect. Failures like Target or TJX happen too – but two wrongs don’t make a right. And maybe the heavy focus of traditional development on the invisible back-end is outdated, but focusing on consumer-driven development at the expense of  security, regulations, privacy, and other compliance mandates creates a governance black hole.

The prescription then is for both types of organization to resolve the conflict between agility and risk. Certainly enterprise development needs to be more customer-centric; but technology start-ups need to prioritize data governance more, especially as they go chasing the lucrative enterprise market.