How do you determine what your priorities are?

There is no path to business success without a clear understanding of how to prioritize. Sometimes, the benefits of your efforts in the cloud can be negatively impacted by the lack of shared goals that allow you to set priorities for resources. To avoid this, it’s key that everyone understands their role in enabling business success. According to the AWS Well-Architected Framework, it’s best practice to evaluate customer needs, governance and compliance requirements, the threat landscape, potential tradeoffs, and manage benefits and risks. By doing so, you will increase your efficiency working in the cloud, which, in turn, generates business value.

Evaluating customer needs

The best strategy to take account of customer needs is to encourage the involvement of key stakeholders. The business team, as well as development and operations teams, must all be involved in order to fully account for customer needs and be able to focus your efforts accordingly. By involving all stakeholders in the process, you will gain a thorough understanding of the operations support required to achieve your expected business objectives.

To make your customer needs evaluation process count, you should take into account the following steps. You should begin by listening to the business, development, and operations teams to achieve a shared understanding of how to fulfill customer needs and establish shared goals. These should be revisited and reviewed in detail to make sure that all stakeholders’ needs are taken into account. Finally, it’s key to establish a shared understanding of the business functions of the workload, the role of each team member when it comes to the operation of the workload, and how these factors support the agreed-upon business goals and fulfill customer needs.

Evaluating governance requirements

A comprehensive evaluation of governance requirements can save you a lot of work and time. By taking the time to carefully consider these requirements, you avoid the possibility of carrying out hours of work that later needs to be redone or revised due to governance issues. Guidelines or obligations defined by your organization may warrant specific focus. Internal governance factors must be taken into consideration. These include program or organizational policy, issue or system-specific policies, standards, procedures, baselines, and guidelines. It’s important to validate that there are mechanisms in place to identify changes to governance.

In the unlikely event that you can’t identify any governance requirements, do ensure that due diligence has been applied to achieve this determination and, if possible, record this for later reference.

Evaluating compliance requirements

Many a time, it’s fundamental to assess external factors such as regulatory compliance requirements and industry standards to make sure that you’re aware of guidelines or obligations that might require specific focus or emphasis.

Compliance requirements can be internal, such as security policies and data classification standards; and some can be external. Your first priority should be external compliance requirements that you are legally required to satisfy. Examples of these can be privacy and data protection acts. Industry standards and best practices (internal and external) should be second on your list of priorities. A good example of this can be the Payment Card Industry Data Security Standard (PCI DSS). Legal, industry standard, and best practice compliance requirements should be taken into account from the beginning to avoid issues down the line.

Learn more about compliance on AWS:

AWS Compliance

AWS Compliance Programs

AWS Compliance Latest News

Evaluating the threat landscape

Hope for the best, prepare for the worst. A thorough analysis of potential threats to your business is the best way to ensure you’re always prepared and ready to bounce back in case a threat is realized. The threat landscape is composed of all factors that might threaten the success of your business. These can include competition, business risk and liabilities, operational risks, and information security threats. The most effective way to carry out your threat landscape evaluation is to build a risk registry that includes details of all risks, their potential impact, and where to focus the efforts to remedy any associated issues in the worst-case scenario.

AWS best practices dictate that you should maintain a threat model. A useful threat model should include all potential threats your teams can identify, mitigations in place, planned mitigation, and their priority. All potential threats should be recorded with updated records of the likelihood that they’ll manifest as actual incidents, the recovery costs associated with them as well as the expected harm caused. In addition, if there are any measures available to prevent these incidents, the cost of these should be recorded as well. Even if your decision is to forego these precautionary measures it will be useful to have them recorded for future reference. The best threat models are always evolving and adapting. Constant improvement of your threat model should be your goal.

Useful AWS resources:

AWS Latest Security Bulletins

AWS Trusted Advisor

Evaluating tradeoffs

It’s not uncommon to find yourself in a situation where two desirable features that are ultimately incompatible. In these situations, it’s necessary to find a compromise. For instance, you might prioritize speed-to-market over cost optimization or choose a relational database for non-relational data to avoid updating your application, even if that means migrating to a database that is not optimized for your data type.

The key to making beneficial tradeoffs is having a clear understanding of your priorities and what’s most important to your business. Those should be the main factors on which you’re not willing to compromise. When faced with competing interests, it’s advisable to look into alternative approaches before opting for a tradeoff right off the bat. If this were not an option, then careful consideration and informed decision-making will be your best strategies when determining your course of action.

Managing benefits and risks

Being able to accurately determine where to focus efforts is absolutely essential to your success in the cloud. To do this, you need to be able to make informed decisions that result in the greatest possible benefits while minimizing risks. In a perfect world, we’d be able to obtain great benefits with no risk at all. However, we all know that, sometimes, the benefits outweigh the risks. For example, you might find yourself in a situation where you need to deploy a workload with unresolved issues, which is far from advisable. In spite of this, maybe the benefit of making significant new features available to customers is too great to ignore. In cases like these, it’s of uppermost importance to assess benefits and risks carefully. Firstly, the benefits must be substantial enough for you to consider going forward despite the risk. Secondly, the risks need to be carefully considered so that you can come up with a plan to minimize them.

Effective management of benefits and risks involves a balance between the potential positive outcomes against potential dangers. In order to correctly identify benefits, you need to take into base your analysis on business goals, needs, and priorities. Some examples might include time-to-market, security, performance, and cost. Business, development, and operations must all be taken into account to evaluate the value of the benefit against the potential negative outcomes that might arise should the risk realize and the consequences of its impact. For example, while an emphasis on speed-to-market over reliability could provide a competitive advantage, you might end up experiencing reduced uptime due to reliability issues. When it comes to benefit and risk management, there are no one-size-fits-all answers. For this reason, it’s key that you take your time and gather all available information. Only then will you be able to balance benefits and risks to maximize business potential.