Rational Astrologies and the SDLC

OMG. “Rational Astrology” is the best thing I’ve ever heard.

I stumbled on it in an article about security.

It shows how we rationally adopt security practices that feel safe but aren’t actually effective.

The paper broke down the reasons in three categories: justifiable safe, least bad option & bureaucratic inertia.

It turns out that in software development, we do the same things:

• Justifiably Safe: We plan entire quarters or years, even though they never unfold even anywhere near as expected.
• Least Bad Option: We vote on story points because it’s the best of the flawed estimation methods we’ve tried.
• Bureaucratic Inertia: We hold daily scrums simply because that’s how it’s always been done.

The authors then analyzed common reasons why this happens:

1. The decision maker’s incentives differ from the organization’s.
2. It’s a tough problem with no perfect solution, so we latch onto a flawed approach for reassurance.

(I’d add a 3rd of my own, which is that we tend to solve problems that we don’t have, but I digress).

The 2nd one really resonates with me. We cannot solve the problem but … we are doing something.

Only something often has real costs associated with it.

A lot of the time changing a bad practice has concentrated costs.  

You may need to spend time and effort convincing a group that this is a bad idea and take on some career risk in doing so.

At the same time the benefits maybe be diffused - maybe everyone saves a little time and focus - and this is harder to quantify.

But if you do nothing, these bad practices compound and it becomes impossible to recover.

My Takeaway

👉  If a practice isn’t truly making you more secure or effective, you have to blow it up!