Why don’t software companies take a more aggressive ‘Risk Based’ approach towards product quality & reliability?
All you have to do is read the headlines: this week it was Engadget reporting how (another company) found a security flaw in a Samsung Device.
This wasn’t a trivial matter; Samsung is portraying itself as being on the leading edge of the Internet of Things (IoT) expansion with their “SmartThings” hub.
Yet Cisco Talos discovered 20 Major Security Vulnerabilities in the publicly available product.
According to Cisco Talos, those 20 vulnerabilities could have allowed attackers to control the internet-of-things devices connected to it.
Hackers could have taken advantage of the flaws to disable smart locks and gain physical entry to people’s homes, for instance, or to take command of nanny cams and CCTVs to monitor a house’s occupants or an establishment’s activities. They could’ve used the flaws to disable motion and alarm systems or even to damage appliances connected to the hub.
The spokesperson from Cisco Talos was being very generous when he stated that Samsung “did a lot of things right and should be commended for the way [it] designed [its] devices to be easily updated.”
Here’s the biggest problem: Samsung didn’t find the flaws. Cisco Talos discovered the vulnerabilities after the product was on the market and “alerted” Samsung to them – which means that alot of their customers were ‘at risk’ until the patch was created (hopefully fully tested) and delivered to them.
How ridiculous is that?
Why didn’t Samsung, during the product design phase, engage the services of experts (like Cisco Talos) to work with them to ensure serious risks were identified and mitigated, prior to shipping the products?
If they didn’t have cyber-security expertise – rather than arrogantly assume they had everything covered, maybe they could’ve asked a specialist to review their design?
Or bring someone in with that exact type of experience, as an expert on their team – to make SURE it wasn’t a problem?
Either they are consumed with beating competitors to market, or their corporate culture doesn’t allow them to ask their Executive Leadership for a professional cyber-security review – because it’d make their own engineers look bad.
But it’s clear to me, they have a serious problem with Risk. They clearly don’t have a solid program in place to think ‘outside of the box’ when it comes to identifying all the high risk areas of their products, in order to expose critical defects so they can mitigate them early.
This all points to Process Failures.
Samsung needs to upgrade their software development lifecycle, product & system testing, cyber-security and performance measurement processes across the board.
Need another example?
Not that long ago, Samsung had another (major) problem on their hands: Samsung Galaxy Note 7 Batteries were exploding.
This critical lapse in Engineering Risk Management had huge consequences. Not only did they lose customers, people were actually injured.
Eventually forcing a recall that cost them over a Billion dollars – that’s a Billion with a B.
If cyber-security risks, and potentially injuring people aren’t worth taking seriously…then what is?
Let’s transition to the Medical Device world.
If you look at the FDA Recalls list – which is public information that’s updated on a regular basis – you’ll notice several companies who’ve appeared there…more than once.
These are the types of product failures which have killed people.
“Reason for Recall: a poorly designed power connector may become corroded due to humidity and simply, come loose. If there is a loss of connection, the pump may stop which could cause serious adverse health consequences, including death.”
I can’t think of anything more ‘Mission Critical’ than a medical device like the one described in this FDA Recall.
And yet – here it is, being recalled.
Earlier this year I interviewed Quality Process Expert Charlie Gragg, and he described the best practices approach towards improving quality & reliability. What he called ‘solving the puzzle’ because…so many companies get it wrong.
He also described how a proper focus on quality should be grounded in cost of quality: how the cost of quality decreases as product quality increases.
He has over 30 years as a Process Improvement Expert, with the last 20+ years working in the medical device world. And Charlie will tell you, that focusing only on time-to-market, (which usually means cutting corners), as well as ‘being compliant’ with regulatory guidelines when it comes to quality – versus focus on the intent – almost always leads to poor product quality, late releases and unhappy customers.
This behavior eventually leads to loss of market share – which these leaders are attempting to expand in the first place.
If Leadership puts the correct processes in place – and then allow teams to follow them – they’ll beat the market every time.
If you don’t think outside of the box (what would a user do with my product in x, y, z scenarios – how would my product interact with a client system during x, y, z abnormal system behaviors), then you’ll continue to be “in the news” for all the wrong reasons.
Another example from the FDA realm: performing little more than requirements based (happy path testing), in order to meet the schedule. This will practically guarantee a bad product release with negative consequences.
By adopting risk-based design, development and manufacturing practices (with human factors engineering and user needs leading the way) you will capture the majority market share you desire.
It all comes down to Process.
If you implement best practice {software development lifecycle, quality management system, good manufacturing practices} processes and you follow them routinely without fail – you will own your market.
If you’d like to check if your Quality Processes are up to speed – request our Free Quality Questionnaire
