100 days at Xebia Quality

For many positions in the industry and government it’s customary to create a 100 vision after starting in a new position. While I didn’t have a clear and detailed plan after moving from Xebia Security to Xebia Quality in June, I thought it would be nice to write a 100 day hindsight.

For those not familiar with my background I will try to give a short summary. When I finished my studies in Chemistry, the world had changed a lot compared to when I started. Information technology was suddenly booming business and the future for the classic industries was looking a lot more grim. As many beta minded people back then I decided to jump the internet fueled world of IT and see what would happen. My first job was as functional tester, which I enjoyed doing for many years. At some point I needed a new challenge and decided to specialize into application security testing. Once you have some level of experience in that area, you will start to do so-called penetration tests and I soon realized that was not my cup of tea. It’s a typical end-stage kind of test and, especially in a time where agile was still mostly an experiment, most of your findings would never be resolved. So quite soon I decided that in order to have more impact, I should find a way to help developers prevent the issues pentesters typically look for. Nowadays we call that ‘shift left’, but at that time it was known as ‘being that annoying security person that developers couldn’t outsmart with technical blah blah’. Six years ago I joined Xebia to help set up Xebia Security together with Jeroen Willemsen and Nanne Baars. The three of us saw development was fully moving to agile, devops, and cloud, while information security was still hiding in the castles build in the 80’s. We expected this gap would soon lead to problems, so we decided to build a dedicated unit to help customers with security, privacy, and compliance issues in agile & devops environments.

While the challenges Xebia Security focuses on still remain to be relevant and are even growing on a daily basis, I again found myself in a position of feeling under-challenged. I have been saying ‘security is just a quality attribute’ since the day I started to move into the field of information security, and I thought I should broaden my scope again if I really wanted to have impact. I also realized that most security related issues originate from a dysfunctional organization, so I should focus on how to fix that. Xebia Quality was the logical place to kickstart that journey as they focus on helping customers to ‘deliver quality software more efficiently’, which is exactly what I was looking for.

Over the last 3 months I have been learning a lot on how to gain insight in the efficiency of an organization, how to visualize dependencies and convert that into a strategic plan, and how to apply a socio-technical approach towards complex situations. I have been reading a lot on wardley mapping, cynefin, causal loop diagrams, domain driven design, systems thinking, and many more topics relevant to answer the question ‘how can you unravel and fix a complex situation". While I still feel most comfortable around challenges related to security, risk, and compliance. my viewpoint on them has changed already. Not only is security just a quality attribute; compliance is just a quality process, risk is just a business driver, and GRC is just a bounded context.

While I realize my journey has just started and I still have a lot to learn, I already created a Wardley map for myself to keep track of my position in a continuously changing landscape and identify the most relevant paths that lie in front of me. At my customers I will be focusing on efficient software delivery by reducing complexity and clutter (often caused by risk and compliance processes).