Technology companies compete on their ability to quickly develop, deliver and update quality systems and software. This need for speed has led solution providers to abandon the traditional “waterfall” software development methodology in favour of Agile and DevOps, a faster and more collaborative approach that ultimately aims to enable faster time to market and a more reliable product. However, many organisations have struggled to apply traditional IT control frameworks within an Agile/DevOps environment, and the two are often misconceived as being incompatible.
Atlassian, a global software development company responsible for creating team collaboration and productivity tools — including Jira, Confluence, Trello, Stride and BitBucket, amongst others — recognises that trust is increasingly at the forefront of customer adoption considerations, and that key to demonstrating trustworthiness is being transparent with compliance. In addition, when it listed on the NASDAQ market in the United States in December 2015, Atlassian needed to be in a position to demonstrate effective controls to its investors.
For this industry leader, with more than 100,000 customers worldwide, the challenge was to design controls, such as access and change management, that would meet Sarbanes-Oxley Act (SOX), SOC2, ISO27k and other global compliance requirements and standards without compromising the company’s ability to be at the forefront of Agile, delivering multiple releases every fortnight. Atlassian partnered with Protiviti to design and evaluate controls across the company’s products and internal systems.
Atlassian entered this project with several advantages. First, its existing ways of working inherently involved certain control points that, even if they were not formally recognised as such, could be formalised and automated. Second, Atlassian had, and continues to have, a cultural bias for change — its ingrained culture of collaboration and problem-solving minimised resistance to change and greatly improved the outcomes. Finally, there was an added benefit of Atlassian owning the tools (Jira, BitBucket and Bamboo) that it uses to develop and release all its products, which enabled controls to be embedded as product improvements. For example, key automated change controls include testing and validating that the most recent version of the code has been peer-reviewed before release — this can be automated by the release tools.
Controls are often viewed as barriers slowing down the release cadence; however, the Atlassian experience demonstrated that in some cases controls can improve the efficiency of the development process by automating a number of checks, which also helps improve code quality and reduce time spent on defect resolution.
Key success factors in Atlassian’s journey were their commitment to quality control without compromising agility and their openness to collaboration and change. That, combined with Protiviti’s IT risk, compliance and controls experience, and a mutual commitment to designing best-in-class controls for a DevOps world, delivered a resounding success.
Protiviti continues to assist Atlassian with its continued focus on trust, privacy and compliance transparency.
At a time when customers, shareholders and regulators are increasingly concerned about information security, privacy and the reliability of IT solution providers, Atlassian is able to face the future with confidence. More importantly, the potential to embed controls in future software releases stands as a clear differentiator for Atlassian, allowing the company to deliver that confidence downstream to their customers.