November 22, 2022
7 min

How ISO certification helps you better manage your SaaS technical debt

Category
Security

Table of contents

When managed well, technical debt is an expected, normal and even healthy part of a fast growing SaaS business. When ignored and left to accumulate, technical debt can inhibit your ability to innovate, develop new features and acquire new customers. In the most extreme case, technical debt can grind engineering to a halt and lead to the demise of your business.

What is technical debt? Simply put, it's what you will owe in the future for every technical decision that you make today. For example, you may decide to implement a feature in the quickest and cheapest way possible now, knowing that in the future this feature will become limited, and will have to be reworked or replaced. This future work is the debt that you will owe tomorrow for implementing the quicker and cheaper solution today. Also, much like credit card debt, technical debt accumulates interest in the form of difficulty to implement changes. If not repaid within a reasonable timeframe, the debt can become overwhelming.

There are many causal factors that can lead to technical debt getting out of hand. At the engineering level these can include architectural limitations, infrastructure age and chaotic code. At the management level these can include a lack of knowledge retention, an inability to properly process and manage customer expectations, poor hiring practices and a disconnect between business and engineering.

At Upscaler we believe the root cause of unmanaged technical debt is actually a lack of proper processes. Staying on top of technical debt is not particularly difficult, but it isn't intuitive either. Managing technical debt isn't something SaaS founders, or even developers, typically think about, especially those that have never experienced the impact it can have. Yet, it is extremely important and needs to be addressed head on. It requires deliberate, concerted and cross functional attention that only proper processes can deliver.

Let's look at a few ways ISO certification helps you stay on top of technical debt in your SaaS business.

Shining a light on technical debt

ISO management system standards are all about managing risk. As part of implementing an ISO standard, such as ISO 27001 for information security or ISO 9001 for quality management, you will put in place processes for identifying and treating the risks that can harm your business. One major risk that every SaaS business will identify is, as you've probably guessed by now, unmanaged technical debt. So having processes in place to identify your business risks will already allow you to bring technical debt to a prominent position in the eyes and mind of your organisation.

This is important. Often technical debt becomes unwieldy simply because people don't notice it or don't understand it. Sometimes you sweep it under the rug and decide to deal with it later. Usually, and naively, with the presumption that you'll have more time to deal with it then. But by becoming part of your management systems risk register, this can never happen, because every risk review and every management review will feature technical debt as a discussion point. Every major change that happens will stimulate a conversation around its impact and how it is being managed.

Ensuring changes are controlled

Carefully controlling change is another core requirement of ISO management system standards. Uncontrolled change can be a major contributing factor to unchecked technical debt. This is sometimes seen in immature SaaS companies with a culture of pushing out new features at any cost, often done with little consideration to the cost of maintenance, refactoring and future extensibility of those features.

To start with, change control in ISO ensures that there is a strong business case for the change that you are making, because every major change could impact your business objectives and strategic direction. It also requires you to have a well thought out plan for implementing that change, and importantly, the proposed change must be risk assessed. This brings us back to our risk management process described above. You will need to analyse each major change to identify the risks it may pose to your business, which may very well include the risk of unmanaged technical debt.

Then the proposed change must be reviewed and approved, usually by an appointed change advisory board, before it can be carried out as planned. Gone are the days of your CEO, VP of Sales or anyone else being able to commandeer engineering to quickly develop a feature they sold to a customer yesterday. And finally, once the change is made, it must be assessed. This is where you document any lessons learned which may lead to improvements in the way changes are managed, such as better processes for identifying and managing technical debt throughout the change lifecycle.

Developing securely

A core requirement of ISO 27001 for information security is that your software development process is secure. This not only means that you must have physical security controls in place; it also means that your developers make decisions and write code with information security in mind. This usually requires introducing secure development policies and procedures, establishing peer review and conducting security focused developer training. Over time, a secure development culture begins to emerge where developers operate securely as part of their standard operating procedures.

This is great, for obvious reasons, but how does it help with managing technical debt? A significant causal factor of technical debt is old technologies, frameworks and libraries. Over time these can become bottlenecks and stifle progress in other areas, leading to an accumulation of technical debt. Equally, these older components can present security issues, particularly if they are no longer being maintained or supported. With secure development processes in place, and with engineering being integral to how you manage risk, there will be an impetuous to resolve these issues before they get out of hand since they could pose a security risk while also contributing to technical debt.

Retaining knowledge

Developers are generally good at writing clean code that can be understood by other developers that may need to maintain their code in the future. They are also pretty good at documenting technical procedures related to testing, deployment and other operational matters. What technical teams tend not to do very well is document the 'why' around the important decisions they have made. Why did they choose this library over the other?  Why Auth0 instead of Cognito? What were the drivers at the time? Were there any known future impacts of this decision? And the list may go on.

This is not so much of a problem provided the decision makers stick around or don't suffer amnesia. But this rarely happens and over time, as your engineering team is replaced, it leads to a knowledge drain. This can result in a paralysis around managing technical debt for fear of the unknown. "If a former senior developer made this decision then they must have had a good reason, so let's not touch that and try to work around it." Unmanageable technical debt here we come!

Fortunately, ISO management system standards are designed to retain important knowledge throughout all levels of your organisation. Key changes cannot be made without documenting the business case, rationale and implementation plans. Analysing and documenting lessons learned ensure that knowledge generally gained by experience is used and shared, and doesn't leave with former employees. Risk reviews, management reviews and internal audits all lead to an increase in the flow and retention of knowledge that will help you to manage technical debt.

Properly vetting suppliers

Technical debt can also accumulate due to decisions you have made around key third parties. Picture a scenario where you have integrated some important service into your SaaS app and a year later that service provider is out of business or otherwise fails to perform. The decision to go with that provider at the time may have been down to cost alone, or because you recognised some of the logos on their website. You now find yourself with a technical debt problem that needs to be repaid urgently!

By implementing ISO management system standards you will minimise the risk of such an outcome happening. Firstly, the selection of a key supplier has to go through rigorous change control before you can go ahead. Then you will thoroughly vet your suppliers to uncover any issues that may become problems now or down the line. Finally, you will establish clear relationships with them that includes contracts, Service Level Agreements and ongoing supplier review activities.

Putting customers at the centre

It's hard to deliver a quality customer experience or achieve true customer satisfaction if constrained by technical debt. When unmanaged, it's like a metal ball and chain that is getting heavier with each forward step. It is as much in your customer's interest that this outcome be avoided as it is in your own. So, in the pursuit of customer satisfaction, it is intrinsic for you to ensure that you can deliver a great product and service not only today, but well into the future.

Numerous quality management principles found in ISO 9001, ISO 27001 and other standards help to achieve this and, in turn, manage technical debt. This includes how you approach product design and development, how you process feedback, how you manage customer expectations, how you hire people, how you conduct corrective and preventive action, how you analyse and evaluate performance, to name just a few.

When it comes to technical debt, you're not alone. There is not a single SaaS business out there that isn't dealing with technical debt to some degree. What separates the good from the not so good is simply down to how they manage it. Almost every company has experienced a sales person that over promises product capabilities to the customer, and then expects the engineering team to deliver overnight. We can't change human nature, but we can put systems in place that help us manage the various scenarios that allow technical debt to amass.

The good news is that ISO standards help us establish those systems. They provide a playbook and a set of processes that together minimise the likelihood of technical debt ever getting out of control, and putting your business at risk.

If you have any questions or would like to learn more about Upscaler don't hesitate to contact our team. We love to talk with SaaS companies and help them on their journey in any way that we can.

Ready to start your business excellence journey?

Book a Demo
Book a Demo

The link has been successfully copied.