Agile Dev, Better Software & DevOps East

Learn what you need to build better software now. The Agile Dev, Better Software, and DevOps East events hosted by Techwell are co-located from November 5-10, 2017 in Orlando, FL.  With over 100 learning and networking sessions, there will be a wide variety of new things to learn:

  • Projects and teams
  • Personal excellence
  • Going mobile
  • Business analysis and requirements
  • Internet of Things (IoT)
  • Process and metrics
  • Leadership
  • Software quality and testing


One registration gives you access to all three of these industry-leading events.


Register by October 6 using CISQ’s special promo code CECM to save up to an additional $200 off. Plus, this offer can be combined with early bird pricing for even more savings.








Measuring IT Project Performances in Texas: House Bill (HB) 3275 Implications

CISQ Advisory Board member, Herb Krasner, has released a position paper for Texas state CIOs and IT leaders seeking guidance on House Bill (HB) 3275 passed in June 2017 requiring the reporting of software quality measurement in Texas State IT projects. Krasner drafted the legislation that was signed into law by Texas governor, Greg Abbott. Directives go into effect on January 1, 2018.


The new law, HB 3275 is available on the CISQ website for review.


Abstract from the position paper, Measuring IT Project Performances in Texas: House Bill (HB) 3275 Implications:


“Texas’ usage of IT is big and getting bigger, but past project performances have a “checkered” history. In June 2017 HB 3275 became law in Texas. It requires state agencies to improve the measuring and monitoring of large IT projects to collect and report on performance indicators for schedule, cost, scope, and quality. If these indicators go out of bounds, more intense scrutiny is then triggered, potentially requiring corrective action. These indicators will be made visible to the public via an online, user-friendly dashboard, and will be summarized annually in a report to state leaders. This new law facilitates the early detection of troubled projects, and helps establish baselines for improvement initiatives. This position paper discusses the implications and challenges of implementing this new law for state and agency IT leadership.”


Professor Herb Krasner recently retired from the University of Texas at Austin. He was the Director of Outreach Services for the UT Center for Advanced Research in Software Engineering (ARiSE) and founder and CTO of the UT Software Quality Institute (SQI). As a systems excellence consultant, his mission, spanning five decades, has been to enable the development of superior software intensive systems, and to stamp out poor quality software, wherever found. Mr. Krasner is active in Texas state legislature IT improvement initiatives. Full bio







PNSQC 2017


Registration is now open! We are scaling new heights in quality software. Join us in Portland, Oregon, October 9-11.


CISQ is a supporting partner of PNSQC.


The At-a-Glance tells it all to let you make plans. The Keynote Speakers discuss what quality looks like in 2017 with Trends, Tricks and Traps, who exactly Owning Quality in Agile, and How to Build a Workplace People Love by adding Joy.


Invited speakers cover your doubts, your data collection, your product ecology and more.


The technical tracks keep us focused on Scrum, Lean Start Ups, AI, The Internet of Things and Golf. Over lunch we scale new heights with a Mazama and a builder, giving you lots to think over as you chew it over.


Turn plans to action and register before September 15 to receive early-bird discounts; groups of 4 or more receive an extra 15% off. Join us in Portland, register now!



How Outsourcing Can Mitigate Cyberrisks in DevOps


Dr. Erik Beulen, Principal, Amsterdam office (; Dr. Walter W. Bohmayr, Senior Partner, Vienna office (; Dr. Stefan A. Deutscher, Associate Director, Berlin office (; and Alex Asen, Senior Knowledge Analyst, Boston office (


DevOps agility requires organizational adjustments and additional tooling to ensure cybersecurity. At the same time, the challenges of the cybersecurity labor market drive the need to increase tooling’s impact and to consider outsourcing. In turn, these require carefully focusing on cybersecurity governance, including the assignment of accountability and responsibility.


In DevOps, the business is in the driver’s seat. DevOps characteristics (such as iterative prioritizing and deployment) plus the combined responsibility for development and operations present cybersecurity risks. They also create opportunities. DevOps tools, infrastructure, processes, and procedures can be used to fully automate patch deployments and continuously monitor, for example, open ports. Best practices are to automate information security platforms using at a minimum programmable APIs, but preferably automated to control access, containers and container orchestration combined with hypervisors or physical separation to avoid the impact of an attack on the OS kernel layer.


Market Developments


Our analysis of global startup activity in cybersecurity products reveals about 1,000 firms that represent more than $20 billion of investments. This explosion of competing cybersecurity products has driven enterprise reliance on best-of-breed solutions, which requires a lot of coordination and increases the risk of gaps in the cybersecurity landscape. Consolidation of cybersecurity product portfolios through mergers and acquisitions will still take some time—about three to five years. In the enterprise segment, we have to accept best-of-breed solutions and the associated increased complexity for the years to come.


Meanwhile, the service market is also evolving but still scattered. Managed security service providers (MSSPs) provide end-to-end protection, stabilize infrastructure, optimize IT operations, and provide rapid responses to security breaches. On one hand, MSSPs can be used to scale up required capabilities, reduce complexity, and innovate to achieve cyberresilience. On the other hand, the service market is not mature yet, so prior to contracting with an MSSP, companies should rigorously assess a solution’s robustness and vision. Companies should also determine  the number and seniority level of the cybersecurity experts at an MSSP.




Accountability for cyberresilience can never be outsourced. Organizations need to build a cybersecurity competence center that oversees the design and maintenance of strategy and requirements, assesses cybersecurity compliance, and evangelizes cybersecurity. (See Exhibit 1.) This competence center manages the business demands. It also directs in-house cybersecurity and MSSPs’ strategy and policies, including standards, frameworks, certification, risk tolerance levels, and attack procedures. The number of MSSPs a company should engage depends on the size of the organization, cybersecurity requirements, and the capability to manage suppliers. Rarely do organizations engage with more than three MSSPs to avoid coordination challenges and ensure unambiguous responsibilities.


Exhibit 1: Cybersecurity Competence Center Responsibilities
Click to view larger image





Responsibilities for cyberresilience have to be embedded from the board level down to each DevOps team. This is not straightforward and requires a constant and intense dialogue embedded in governance structures and involving all stakeholders. At the application level, product owners and scrum masters have to ensure cybersecurity is respected and embraced by the DevOps teams (“cybersecurity by design”). This doesn’t mean developers must become security experts. Rather, product owners must assign dedicated security experts to each DevOps team. This will not be a full-time role, and security experts can be allocated to multiple DevOps teams. However, cybersecurity remains a team responsibility. Scrum masters have to explicitly address cybersecurity in each step of the DevOps lifecycle. This starts with creating cybersecurity awareness by training developers using gamification (such as Microsoft EOP game[1]). Furthermore, continuously monitoring and measuring cybersecurity performance (service levels) is important. The end goal is to champion cybersecurity by deploying and maintaining software in accordance with the set risk tolerance levels and applicable security standards.




Ensure cybersecurity in DevOps by taking these steps: empowering your product owners and scrum masters, building a competence center, partnering with no more than three MSSPs, using automation, and, of course, making cybersecurity a business agenda item. Also follow the World Economic Forum Working Group,[2] which kicked off cyberresilience through brainstorming!








Gartner Catalyst Conference 2017

Gartner Catalyst Conference gives a comprehensive view into the technologies that will power the future of your digital business.


Technically focused and committed to pragmatic, how-to content, Gartner Catalyst Conference, provides practical solutions, actionable advice and principled objectivity. With access to more than 150 sessions built on forward-thinking Gartner for Technical Professionals (GTP) research, attendees will leave with a framework for project planning and execution and their own professional development.


Through six conference tracks and four “journeys” tailored to specific roles, you’ll learn how to:

  • Build data and analytics architectures
  • Leverage DevOps to increase data center agility
  • Create scalable security and identity architectures
  • Develop innovative software architectures and practices
  • Formulate and execute your IoT strategy
  • Make sense of blockchain and how to use it
  • Understand the impact of AI and machine learning
  • Take mobility from strategy to execution
  • Achieve digital workplace productivity
  • Explore public and hybrid cloud strategies and cloud-native solutions




STARWEST – Software Testing Conference

October 1-6, 2017

Disneyland Hotel in Anaheim, CA



Wondering why you should attend the STARWEST software testing conference from October 1-6 in Anaheim this year? With over 100 learning and networking sessions, there will be a wide variety of new things to learn, including finding the best solutions to your software testing challenges. Register for the STARWEST software testing conference by September 1 using promo code SWCM to save up to an additional $200 off. Plus, this offer can be combined with early bird pricing for even more savings.




Conference highlights include:

  • Pre-conference training classes
  • In-depth half- and full-day tutorials
  • Keynotes featuring recognized thought-leaders
  • Concurrent sessions covering major issues and solutions
  • The Expo, bringing you the latest in software development solutions
  • Networking events: receptions, breakfasts, breaks, and lunches included
  • A full day to explore unique challenges at the Testing & Quality Leadership Summit


Explore the program here







Gartner Sourcing & Strategic Vendor Relationships Summit

September 13-15
Gaylord Opryland Resort & Convention Center
Nashville, TN


Special CISQ rate: CISQ members save $325 off the registration fee. Apply the code GARTOMG at registration.


Lead Sourcing and Vendor Management to the Core of Digital Business


Gartner Sourcing & Strategic Vendor Relationships Summit will address how Sourcing, Procurement and Vendor Management can proactively become agents and enablers of digital business. The agenda will focus on both traditional run-the-business sourcing and vendor management best practices as well as new models to increase sourcing’s proactiveness in supporting the organization’s digital business transformation.


The agenda features dedicated tracks for sourcing managers, procurement/contract managers, IT vendor managers, and a track on emerging trends and disruptive technologies. In addition, Gartner’s exclusive Program for Senior Sourcing Executives provides a forum for the most senior level delegates to engage with Gartner analysts and peers in a series of presentations and discussions. Drill down on your hottest sourcing topics based on your role, experience level and key focus.


2017 Agenda tracks
Track A: Sourcing Leaders:
Sourcing for the Digital Platform and Business Value


Track B: Sourcing and Procurement​ Managers
Selecting and Contracting for Agility, Innovation and Value


Track C: Vendor Managers
Maturing Vendor Management for the Digital Age


Track D: All Roles
Embracing Disruptive and Innovative Technology to Gain Competitive Advantage


CISQ members save $325 off the registration fee! Apply the code GARTOMG at registration.











Forrester Privacy & Security 2017


September 14-15, 2017
The Mayflower Hotel in Washington, D.C.

Special member rate: CISQ members save $400 off the registration fee with the code OMG400.


Driving Customer Loyalty and Business Growth With Trust


Privacy & Security 2017 will explore the rapid escalation of security, privacy, and risk from the operational back office to a strategic, enterprise-level imperative — and key driver of digital business and customer trust.


Your consumers’ expectations of privacy and trust now go far beyond such basic questions as “Will you protect my personal information?” They demand a seamless, consistent experience of safety, security, and data privacy. They require trust — and the smartest enterprises are increasingly committed to trust as a core component of their value proposition and brand.


Yet, this commitment to trust is happening at the same time that threats to data security are rapidly proliferating — in number, variety, scale and sophistication. Established security techniques and technologies are buckling under the assault.


In fact, Forrester predicts that a Fortune 1000 company will disappear in 2017 — through bankruptcy, acquisition, or regulatory enforcement — because of a cyberattack.


To WIN in this new era requires new approaches:


First, security and risk must move from the back office to the forefront of corporate strategy. Security, privacy, and risk are no longer about managing exposure to the downside, but are now critical drivers of business success, customer loyalty, and revenue growth.


Second, new technologies, teams, and techniques are required to defeat the growing threats to enterprise data and security, while simultaneously delivering frictionless customer experiences that inspire trust.


Forrester’s Privacy And Security 2017 is designed to bring security and IT professionals together with business and strategy leaders to collaboratively leverage security and trust for future growth in this challenging and volatile environment.









Cyber Resilience Summit: Modernizing and Securing Government IT


Topic: Reducing Modernization Risk through Compliance to Software and Risk Management Standards


Hosted by: Consortium for IT Software Quality (CISQ) in cooperation with the Object Management Group (OMG) and IT Acquisition Advisory Council (IT-AAC)


Date: Thursday, October 19, 2017 from 8:00am – 3:15pm followed by “Cyber Mingle” until 4:00pm


Venue: Army Navy Country Club, 1700 Army Navy Drive, Arlington, VA


Contact: 781-444-1132 x149


Knowledge Repository:


**Speakers and attendees, to submit content for the knowledge repository, please send to**



With passage of the Technology Modernization Act and Executive Order for Cyber Security seeking to modernize and secure legacy systems, forward-leaning public officials, standards bodies, and IT Communities of Interests are converging for the 4th annual Cyber Resilience Summit on October 19 in Arlington, VA. With growing threats from a tech savvy adversary, Federal agencies need to embrace advanced risk management and modernization practices proven effective in the global IT market.


If you look at the Trump agenda, you understand that the government is trying to maximize the use of commercial innovation, commercial standards and commercial best practices, and in doing so, direct that at the modernization and security of legacy systems that right now are the #1 cyber threat.


The program will cover the topics of risk-managed digital transformation and the practical application of systems engineering to support agile acquisition, cloud readiness, big data, technical debt control, and cyber risk management of complex mission, C2, weapon and citizen-facing systems.



Registration is complimentary for government employees; industry $250; includes refreshments and lunch.









8:00 Registration and Coffee Social
8:20 Welcome Remarks
Dr. Bill Curtis, Executive Director, Consortium for IT Software Quality (CISQ)
– John Weiler, Vice Chair, IT Acquisition Advisory Council (IT-AAC)
8:30 Opening Keynote Panel
– Tony Scott, former Federal Chief Information Officer
– Greg Smithberger, CIO/CTO, NSA
– Donald Freese, FBI Deputy Assistant Director for Information Technology
9:15 Titans of Cyber Panel: Policy and Directives for Modernizing and Securing Legacy IT
Topics: FITARA, MGT Act, Executive Order for Cyber Security
Lead: Dr. Edward E. Amoroso, CEO, Tag Cyber LLC

– Jeffrey Eisensmith, CISO, DHS OCIO
– Sara Mosley, Acting Director for the Office of the Chief Technology Officer, DHS CS&C
– Jack Wilmer, Cyber lead for American Technology Council, White House OSTP
– Ken Bible, Deputy CIO, U.S. Marine Corps
10:30 Break & Networking
10:45 Standards to Measure and Manage Security, Resilience and Technical Debt
– Dr. Bill Curtis, Executive Director, Consortium for IT Software Quality (CISQ)
– John Weiler, Vice Chair, IT Acquisition Advisory Council (IT-AAC)
11:25 Cyber Resilience Standards of Practice
Lead: Dr. Bill Curtis, Executive Director, Consortium for IT Software Quality (CISQ)

– Dr. Ron Ross, Computer Scientist and Fellow, NIST
– Roberta Stempfley, Director of SEI’s CERT Division
– Herb Krasner, University of Texas at Austin (ret.), Texas IT Champion
12:15 Luncheon and Networking
12:45 Luncheon Keynote: Navy Cyber Way Forward
– Dr. Thresa Lang, Deputy Director, Navy Cybersecurity/Deputy Director, Department of the Navy Deputy Chief Information Officer (Navy)
1:15 Titans of Cyber Panel: Best Practices and Innovations for Rapid, Secure Modernization

Lead: John Weiler, Vice Chair, IT Acquisition Advisory Council (IT-AAC)

– Therese Firmin, Principal Director, DCIO (CS) and Deputy Chief Information Security Officer, Department of Defense
– Jose Arrieta, Director, Office of IT 70 Schedule Contract Operations, GSA
– Brigadier General (ret) Greg Touhill, former U.S. CISO; President of Cyxtera Federal Group
– Matt Conner, CISO, National Geospatial-Intelligence Agency

2:15 Supply Chain and Integration Risk Management
Lead: Joe Jarzombek, Global Manager, Synopsys Software Integrity Group

– Emile Monette, Senior Cybersecurity Strategist and Acquisition Advisor, DHS OCISO
– Shon Lyublanovits, IT Security Category Manager and Director of the Security Services Division for the Office of Integrated Technology Services (ITS) in GSA’s Federal Acquisition Service (FAS)
– Dave Duma, Acting Director, Operational Test and Evaluation, Department of Defense
3:15 Closing Remarks
’til 4:00 informal “Cyber Mingle”



















“Risk-Managed” Digital Transformation at Forrester Forum

An event series now in its second year, Forrester Research is hosting the Digital Transformation Forum in cities across the U.S., Europe and India. CISQ is a proud partner along with parent organization, The Object Management Group® (OMG®). This week (May 9-10) we’ve been at Digital Transformation in Chicago with 500+ attendees discussing multiple, important angles of the subject:

  • Creating customer-centric experiences through digital technology
  • Changing business models and operations
  • Discovering new growth opportunities
  • Supporting digital transformation through technology, culture, leadership, skills and processes


CISQ’s expertise in the digital transformation discussion is at the software level – specifically the IT systems and applications that are being built or modernized to enable these new capabilities. Digital systems (software) are powering the enterprise. Operational excellence is critical in terms of system performance, reliability, maintainability, and security (see CISQ’s Automated Quality Characteristic Measures).


Digital is all about the software that runs your business. What we’re hearing at the Forrester Digital Transformation Forum, and from our members, is that they are going to have to write a whole lot of new software for their digital business strategies, and will also have to transform a lot of existing software.


As these new software ecosystems come into being, the ability to measure and certify the non-functional characteristics of software risk is going to become more important. Digital requires business leaders to take charge, because digital transformation is really a business transformation. Yet, there’s still a deep disconnect between what technologists know about the company’s digital assets and what the business people understand. Having a standard lingua-franca to communicate the state of business software is turning out to be increasingly valuable for business stakeholders.


Stop by CISQ’s table at future Forrester events! We’re located near the Forrester product stations.