Full Text

Conway’s Law describes how companies develop software. Broadly speaking, it means that software projects tend to be designed and delivered based on the same approach that a company takes to communicating internally. Conway’s Law is quoted as:

Any organization that designs a system (defined more broadly here than just information systems) will inevitably produce a design whose structure is a copy of the organization‘s communication structure.

Today, we have seen DevOps and DevSecOps get adopted more readily in organizations. So will security teams find that their own approaches to keeping their companies secure will be affected by company communications models too?

Conway’s Law … is it more of a guideline today?

The first element to consider here is how Conway’s Law measures up today. Is it still true as it was in the past, and if so, why? 

The first point to consider is how many different types of software development team exist and in what industries. For sectors like finance — traditionally one of the most heavily regulated and security conscious sectors — the growth of challenger banks has affected the whole sector.

[Read: How DevOps and security teams can get along better]

According to CB Insights, around $8.3 billion of funding went to new FinTech startups and challenger banks in Q2 2019, 50 percent higher than the same quarter a year previously. These organizations have taken up agile software development approaches from the start so they could launch quickly, attract customers and grow the number of services they offer over time. 

At the same time, high street banks have begun adopting cloud and DevOps in order to remain competitive with these new market entrants. These changes have been accompanied by a desire to move faster and keep up with consumer demands. Both new and established companies in this sector rely on their applications and software development processes to be competitive and to appeal to customers.

These consumers...