It’s not enough just being agile. Developers and software engineers have spent years striving for freedom, in the tools they use, in the ways they apply them, and in the ways they innovate and seek to delight end-users.
So why would they consider giving-up that “freedom” to work in highly regulated industries?
When it comes to pharma and healthcare, the picture is of white coats, spotless labs and projects that take years to complete. The popular image of finance is suits, shiny shoes, and old-school ties which might be fed into the shredding machine on a Friday—at least on the trading floor. There’s also the lingering suspicion that every bank has a concreted-over mainframe in the basement and whatever systems you put in place will always be subordinate to this.
This might all verge on caricature, but there is evidence that leaders in regulated industries themselves feel they are hamstrung in their efforts to innovate. Earlier this year, IBM carried out research amongst UK tech leaders in regulated industries which showed that 44.8 per cent agreed that regulatory compliance was the main factor holding up their digital transformation efforts. Certainly, if adopting hybrid cloud is seen as an indicator of digital innovation, 40 per cent of organisations had already made this move, but 47 per cent had no such plans.
In the finance sector specifically, 45 per cent of respondents said regulation and compliance concerns were the biggest barrier to digital transformation, IBM found.
But are these images misleading? Are regulated industries far more fertile territory than the average Cloud Native engineer or developer might imagine?
Regulations are there for a reason, afterall, Professor Nishanth Sastry of the University of Surrey reminds us. For some sectors “The obvious thing to say is the mantra of move fast and break things does not work. You don't want to be breaking my bank account. I'll come after you if you do.”
The gambling sector, for example, is also heavily regulated and still seems able to incorporate cutting-edge technology and techniques, if the stream of speakers at DevOps conferences is to be believed. Likewise, media and advertising have their own regulatory burdens. Other sectors, such as the law, have strict codes of conduct, even if these are largely self-regulated. And what is Fintech, if not investment and banking without a mainframe attached.
Finance certainly involves large amounts of regulation and compliance, covering everything from insider trading, market manipulation, to money laundering. But that IBM research also showed that 40 per cent of finance respondents said new regulations and policies were a catalyst for innovation, not least by creating the opportunity to develop new products or services.
Pharma, healthcare and life sciences—including food—are covered by the GXP regulations which govern good practice and standard operating procedures in those industries, and literally can be a matter of life and death. Yet none of those prevented a succession of companies producing Covid-19 vaccines and treatments, thanks to expedited government reviews and the “overlapping” of some phases of the development and manufacturing process.
Let’s talk about GXP
So, how do regulations really affect the working lives of technologists? Understandably, there is a pervasive desire not to do anything which might fall foul of the regs, as one specialist in pharma told us. Infrastructural decisions have to be taken in light of the regulation, right down to the use of individual tools, and of course, how data is used.
“If there's an inspection, and we violated the GXP, then we are in the shit as a company,” our source explains.
This can lead to a “mindset of: leave it to the people who know”. Which might be at odds with the pick it up and run with it attitude engineers might develop in more free-wheeling sectors. But looked at another way, this means you can stop wasting time trying to be an expert in absolutely everything.
And none of this means Cloud Native and related techniques are verboten in regulated sectors. “I think CI/CD, the whole philosophy, is actually quite a good one to follow for any industry, including highly regulated industries,” says Sastry.
For example, he says, policies could be encoded in code and applied in unit testing: “So if every check-in ensures that it doesn't break HIPAA law in the US, that's already improving the quality.”
Of course, that’s not going to apply in every case, he says. “It might be that your policy cannot be expressed as a bunch of unit tests.”
Daniel Stoeckel, head of data governance and architecture at Merck Healthcare, says there’s always a natural reluctance to change a running system. But he agrees with Sastry that techniques like CI/CD can benefit regulated industries by enabling incremental but accelerated change and helping maintain quality control. “I think there's actually a lot more that is possible to do to introduce change into regulated architectures in a controlled way.”
Stoeckel adds that there are advantages in running regulated workloads on GXP compliant cloud services. “You can be confident that whatever updates, whatever additions they're making, that they're not going to endanger your compliance.” Though that doesn’t remove the need for due diligence and supplier audits.
Certainly the challenger banks in the UK, such as Monzo and Starling, have built their entire business model on the most up-to-date development and deployment processes, while still being able to negotiate forests of regulation.
Executive director for product security at Chase UK, Andy Chakraborty, says, “They are still very much operating like most start-ups do. Continuous integration, continuous deployment, fully code driven. It's the kind of thing you'd see pretty much anywhere like Netflix or Apple.”
But establishing these practices in older organisations is not necessarily going to be a frictionless experience, Chakraborty points out. “Some of the implicit freedoms that people have in tech firms don't translate well to regulated industry.”
He points out that in banking there is typically a three lines of defence model. The people building and operating software are the first line, but the next level is a risk management function, and “the third line is audit”. Software typically has to fulfil the requirements of all three before it is released.
“Folks aren't used to having their things questioned. And audits can be quite full on with a week's worth of questioning on tech topics.” Some auditors are likely to be more tech savvy than others, he says.
Ultimately though, Chakraborty says there’s a huge battle for developer talent on the part of the finance sector. “And the thing is, you can't attract good developers if you have an antiquated system. The compensation only goes so far. Folks want to work on interesting challenges or technology that interests them. And they want modern ways of working.”
But while it might be comparatively straightforward to apply Cloud Native and DevOps workflows in regulated industries, individual tools or technologies can present very individual problems.
One man, two governance departments
As Sastry says, compliance is not always the first thing that comes to mind when a developer builds a new open-source tool. “They’re saying…’wouldn’t it be cool to automate this’. That’s how a software developer thinks.” This drives the software world forward, because most sectors don’t have to worry so much about regulation.
But, he continues, “The consequence of that is that when you're taking in something from a more permissive environment to something less permissive… you have to check, is that still okay to play with given the regulations.”
And that can be a fraught process. One technologist in the pharma industry explained to us how a cloud provider might provide a GXP compliant service, and “If I build something on top of it, apparently that’s GXP compliant”. But some of the third party tools they might want to use on top aren’t compliant—even though they themselves are built on the same platform. “Sometimes it confuses the crap out of me.”
Likewise, they explain, a lot of the analytics work they do is based on R, which is open source. “However, every time there's a new release, or an update, or a new library comes out, that has to go through this recertification process. Which means that very often we are lagging one or two versions behind, because nobody has done that certification yet.”
There’s another tooling issue to be considered. Those regulations and audits require reports, which require data. And at least when it comes to the financial sector, as one veteran insider and sometime headhunter explained to us, the tooling to process and upload these to the regulators is clunky at best, often veritably archaic, and certainly not designed with the cloud or modern techniques in mind.
More significant perhaps, is the fact that if you do master these tools—and the associated technology including that concreted-over mainframe—those skills are not necessarily portable. Certainly not to other sectors, and often not even to rivals in the same industry.
Choosing to embrace limited choices
So, it’s clear that regulations do have a bearing on tech choices. This spans the overarching—cloud versus air gapped systems, proprietary versus open platforms—and the personal, such as what development tools can I use, and do I have to buy a tie or a power suit.
But how much should this really impact Cloud Native specialists’ career decisions?
Sastry says restrictions on tooling and platforms might make some industries appear less appealing, but really this is more of a “second order” issue. For most people, he says, “The most important thing is ‘do they give me enough salary and do I have to relocate myself 100 miles’. These things tend to be more important for people.”
Moreover, he says, some people might actually embrace a less dynamic environment when it comes to tooling or technology. “If you move to something more hip or voguish, you might have to retool yourself.” Some people might find this constant re-education “invigorating” he says, but others might find using a more stable tool set or platform means they are more productive.
“A pharma company might be moving more slowly than your latest social media start-up, which might actually make it easier for you to get your job done and go home to the family.”
Early career technologists might naturally look to big tech but, in contrast to Sastry, Stoeckel says this means companies like Merck have to work harder to attract candidates. “Culture makes a lot of difference when hiring talent, right? They're not just looking for a well-paid job. They're looking for a job in which they can be creative, where they can work on cool problems, where they can make a difference. So creating that culture helps tremendously.”
Conversely, finance can be very fast moving, particularly when it comes to anything that can help it make more money. “There are always new people coming into leadership roles who are bringing in more modern ideas of working,” says Chakraborty.
While it used to be easy to differentiate between the tech people and the bankers at a financial firm this has changed post Covid, with suits no longer de rigeur. “I think the ground is definitely shifting," Chakraborty told WTF. "I'm not really sure where it's gonna go. But in general, I think it doesn't matter who you talk to, everyone's talking about better work-life balances.”
Even if banking has a reputation for being less stimulating from a technical point of view, Chakraborty says, “You do find a lot of older technologists who want a bit more of a stable environment and who want to know there's an actual career progression.”
And even if you have no intention of joining a regulated industry, remember, it might not be your choice. As the tech industry becomes ever more powerful—and in the eyes of some, more arrogant—governments and regulators have whole swathes of it in their sights.
In which case it’s worth remembering that Microsoft was considered a less alluring destination for the most forward-thinking engineers and developers in the noughties as a result of anti-trust action in the US. Then again, those developers prepared to work with one eye on the deal the software giant agreed with US authorities would have been getting stock options based on a price in the $20 to $30 mark. It’s currently trading at around $260. Not Netflix or AWS growth perhaps, but not too shabby either.