Most people have now heard of the Equifax data breach that "potentially impacts approximately 143 million U.S. consumers". This clearly is a watershed moment for computer security and software development and how we handle it both as an industry and even as a country. I believe three major themes will emerge from this debacle:
- How should liability be assigned for this? And to who? (Which will include identifying new parties to hold liable.)
- How can we avoid the centralization of so much sensitive data and yet support a service such as credit reporting?
- How should the software development industry change development practices and policies in order to help prevent such an incident?
The first two items are in-depth topics worthy of considerable discussion on their own. However, in this post, I'm going to focus on the third item. What do we as a software development community need to do about this?
Houston, We Have a Problem
Based on the history of credit agencies and of data breaches, it is likely that we are going to find out that there was a lot of obvious things wrong with Equifax's technology and processes. Of course, it's easy to "Monday morning quarterback." However, in our society, we do expect certain critical tasks to be done correctly most of the time and have instituted various practices to achieve that:
- Lawyers must have a bachelors, complete law school, pass a state bar exam and be licensed.
- Doctors must have a doctorate level degree and they must be licensed.
- Engineers must have a bachelors degree from an accredited program and they must be licensed.
- Software developers must - be able to code?
See the problem yet? We have software developers building systems that are critical to society and in many cases we have no externally imposed education, certification or expertise requirements of them.
From the libertarian and laissez faire perspective, this situation is desirable. Why impede such a dynamic and innovative area of our economy with unnecessary bureaucracy and barriers to entry?
On the other hand, history shows that what we have in the legal, medical and engineering fields is what's coming for software development. It's time the industry grew up, faced the music and solved this problem from within before a solution nobody likes gets imposed on us.
Whoa, Back it Up
Of course, the situation is not really that simple. For instance, let's compare the age of the fields mentioned above in comparison to software development. We are talking in some cases 100s if not 1000s of years in contrast to a tiny 70 years or so for software development. As a profession, a field, and a society, we haven't had time to grapple with these issues yet, both to recognize the problems and to implement reasonable controls in response. The software development field is still a babe in comparison.
Also, there are indeed some areas of software development that are already strongly regulated – military, aviation and medical applications being excellent examples.
But, by and large, many critical areas of our society involve software development that is completely unconstrained in how it is executed. And executing it well in a way that prevents massive failures like what happened to Equifax is extremely hard to do. It requires (at the least) appropriate training and many years of experience.
It's The Culture, Stupid
While there are some positive cultural influences within the software development field regarding this problem, most all of them are ad hoc and voluntary approaches. Meanwhile, we have certifications that hardly anybody requires and far too many programming languages to choose from which impedes the development of expertise. We have a code of ethics that probably not one single reader of this article has ever heard of and a hacker mythology created by Hollywood that glorifies unprofessionalism.
But worst of all, we have a negative societal attitude towards software development and the people that practice it. If you asked a random person about software development, two things they would likely tell you about it is:
- Their cousin's ability to "create a website" makes them a developer
- Software developers are nerds
So, imagine this: you have a valedictorian getting ready to go to college and they are choosing between becoming a lawyer, doctor, engineer or software developer. What are the odds they are going to choose to be amongst "nerds" who are "creating websites" versus those other fields?
Put another way, what kids dream of growing up to be a software developer?
Our cultural attitudes are inevitably lowering the average level of talent in the field. Yet, doing good, reliable, and safe work in this field is at least as hard as any of those other fields.
How Do We Fix This?
I personally took a first step towards fixing this problem 4 years ago when I decided to pivot Data Bakery into a custom software development services company. I already knew about the sorry state of my field (as described above) and wanted to do something much better. So I modeled how I operate based on the successful practices of other fields that are much more mature.
I've got a lot of experience and a lot of knowledge. While Malcolm Gladwell's "10,000 hours of practice to master a field" hypothesis is not universally accepted and I don't believe that appropriate training can only come from universities, I do believe that 10,000 hours of relevant experience is an extremely important factor. I also believe a master/apprentice approach in software development would be highly beneficial – if not quite practical in our modern economy.
I also eschew the flavor-of-the-week technology chase and make careful, long-term tech choices and have become very good at predictably delivering good results with them. I will eventually get whatever certifications emerge as relevant to the field and require them of anybody who wants to work with me.
I want to change how our professionals, field and society deals with software development. If what you read here means as much to you as it does to mean, please contact me. Let's talk.