Every other Friday, we have a meeting of the “DevOps Theme Team,” a group of Forrester analysts focused on next-generation IT management approaches. We talk about Agile and DevOps, of course, but also extend into related areas like portfolio management and security. Today (unsurprisingly) the topic du jour was COVID-19 and its impacts specifically from an Agile/DevOps perspective. Is COVID-19 a shock to Agile practices? Does it pose some risk of backsliding, reverting to older practices?

We agreed that it certainly could be a stress test for Agile. If organizations react out of fear, they may perceive new operating model practices (e.g., moving from project to product teams) as now too risky. There may be even a desire to reverse such changes. However, we think that the safer response is to fall forward into the product team model. Siloed teams perform even worse when everything is remote. The friction of work handoffs is further compounded by distance.

It was disturbing to see reports circulating that some organizations are becoming much more restrictive with change management (e.g., moving new functionality into production). This is an understandable reaction. But it again represents a fallback to an older paradigm you may regret. The demand for change will continue to mount. You will be more and more tempted to clear it with large, risky “batches.” By avoiding the perceived risk of change, you incur the risks of deferring it. These risks are equally if not more hazardous, unless you plan to never change again. We don’t recommend this as a business strategy in troubled times.

We noted recent McKinsey findings indicating that remote teams may have poorer software quality. Our hypothesis is that this points out the need for more effective code review tools and procedures. These can help mitigate the loss of in-person, paired programming interactions. Code reviews should still take place as real-time, synchronous interactions. If they are asynchronous, they risk becoming too casual, which we think may lead to these quality issues. Invest in both better processes and collaborative tools to support this critical part of software development.

Now more than ever is the time to ensure that the product team, as a rule, has all the information, resources, and approvals it needs to get its job done. The world is going even more digital because of this crisis, and old industrial-era thinking needs to be abandoned once and for all.

This includes security, top of mind for many. Distribute your security know-how within the IT organization. To ensure that security does not block agility, focus on enabling frictionless security in the DevSecOps process. Left-shift (baking security into your initial infrastructure definitions) and automate policy enforcement. Adopt the “developer security champion” model, empowering each feature/product team to collaborate with the security officer to bring best practices directly to their teams.

COVID-19 has rocketed to the top of the most popular spear-phishing “hooks.” And with the move to remote work, identity management is a high priority. This will drive organizations to favor comprehensively integrated platforms and look more skeptically at the integration challenges posed by “best of breed” strategies.

Finally, troubled economic times often lead to cost-cutting and a renewed focus on efficiency. To support this, it’s time to get serious about measurement. Organizations talk a good game, but too many don’t measure effectively. In IT terms, we’re already hearing an uptick of interest in application portfolio rationalization. Have you sorted out your inventory of applications, services, products, microservices, or whatever you call them? Have you aligned your cloud tagging strategy to this master data? On such basic hygienic practices rides the health of your portfolio, so that you can be more conscientious about where you are investing.

Again, trust and fall forward into the new operating model, and stay safe out there.