Performance, Security, and Privacy (requirements) Oh My!
OK so here’s the thing, let’s face it, working in highly regulated industries is not my favorite thing. I find the requirements management space to be slow, tedious and most of the time, archaic. I know, there are reasons why the process is the way it is. The rigor and structure is required to ensure the highest quality of the products that impact our lives in very meaningful ways. I get that, I am just saying that I recognize that I have room to grow on projects in regulated environments.
So what does this have to do with requirements management, exactly? I will say that because of the rigor, structure and deep dive required in regulated environments I have new appreciation for requirements management topics related to performance, security and privacy—topics I used to run away from.
For example, the old me:
- Performance? Isn’t that more of an infrastructure and software testing issue?
- Security? Um, yeah, what were you planning to do anyway?
- Privacy? Huh? Walk away from your desk if you don’t want us to hear your phone calls – oh you mean, privacy of data in the system! Oh, yeah, we should think about that.
Performance, Privacy and security are now some of my new favorite topics on all of my projects. The new me:
- Performance: Who is managing the performance testing effort and when do they start on the performance testing strategy? Let’s get a meeting on the calendar to discuss the thresholds we need them to test and stress.
- Security: Where are we on identifying security threats created by this system? Do we expect system features to be restricted to certain users? Have we identified authentication and authorization requirements?
- Privacy: Hey architects, what are your plans for protecting personally identifiable information? In transit and at rest? Is there a standard in this organization? Are you held to a regulatory standard?
Let’s be real though, these topics make people nervous. Privacy and security seem to be facing new regulations on a daily basis – try discussing using “the cloud” and personally identifiable information in a global solution – throw in electronic health records and payment solutions and now you have yourself a party! My favorite of these topics has to be performance. While these also make people nervous, maturity in performance testing services has made this conversation more collaborative than ever.
I know what you are thinking. “But these non-functional things are always thought about at the end of the project, when I have already moved onto to another project!” That’s usually because we don’t ask about them early enough. My experience tells me that the earlier you ask the question whether it is performance, security or privacy, the earlier you can plan for it. By encouraging discussion of these areas early in the project, we can have a true impact on their success.
SOUND OFF: Do you have experience working with performance, security and privacy requirements in a regulated environment? We’d love to hear how you address them in your process.