Could you show me your antivirus?

A couple of days ago I went to the local shopping mall to buy something. At the checkout I gave my credit card and the clerk asked me for an identity document. This practice though somewhat annoying, is quite usual and is in place for protecting both the customer and the shop. Nonetheless, after what happened to Target chain I wonder if I would be entitled to ask them to show me their antivirus.Yes, put like that is just provocative, but I am giving them a very sensitive piece of information (actually one of the most sensitive and safeguarded), shouldn’t I be reassured that they took the most adequate measures to handle it properly?

The Lottery Syndrome & Other Hypothesis

Software projects, regardless they are small or large, are likely to fail or go overtime/overbudget today not much less than they did 60 years ago. What is puzzling is that, over this period, academy and industry defined, if not a complete theory system, at least a set of rules, best practices and “don’t” lists that, they claim, can provide accurate (or at least good enough) estimations for the effort required to complete a software project, while also providing a set of tools for managing such project to reach the desired objectives.So the real question is why, projects keep failing and management keeps ignoring the wealth of evidences that would lead to a better handling of such projects.
Yesterday I watched the webinar “Software Estimation in an Agile World” by Steve McConnell. I “met” Steve years ago, nearly by chance, reading his book “Software Project Survival Guide”. He is a great Software Engineer so listening to what he has to say on the matter is always worth the time.
At a given time in the presentation a point is made that progressing the CMM level of a company not only allows to obtain very good estimations, but also development costs are reduced.
So, what can prevent any wise company manager/owner/leader to climb the CMM ladder? I have three hypothesis and my guess is that the real reason is a specific combination of these three.

  1. Mystical Data. At CMM level 0 the company is in the wilderness of mystic evaluation. There are no scientific data since there is no data collection a thus no data elaboration. The company may, in “bona fide”, reckoning that current practice is actual faster without the burden of process.
  2. NAH Syndrome. Sometimes I heard this. It goes something like “yes, CMM and real process and the like are useful for large companies or for places like NASA and nuclear reactors [a favourite example], but CMM is Not Applicable Here, it would cost too much and it would slow us out of competitiveness”.
  3. “Lottery Syndrome”. This is very close to the reason you may want to enter a Lottery. You know that the chances to win are low, BUT they are not zero. In the same way the company knows that driving a project without a CMM may be risky, but there is an actual chance that the outcome be a project developed in the given time and budget and in a way that makes the customer happy.

What do you think?