Establishing a Technology Vision for a Cannabis Business IT Department

Posted byShawn DeggansPosted inEmployees, Infrastructure, IT ManagementTags:, ,

This is a bit different from what I usually post on here, but I think you’ll find it useful. This isn’t about any specific technology. It’s more of a guide for IT Managers who have been tasked with setting a Technical Vision for their organization.

  1. Building a Technology Vision that’s More than Fluff
    1. What exactly is a technology vision?
    2. Aligning Business Goals to Technology Vision for Cannabis Business IT Managers
      1. Establishing Clear Objectives
      2. Understanding the Technology Needs
      3. Planning for the Future
    3. Assessing Current Systems and Infrastructure for Cannabis Business IT Managers
      1. Identifying System Components
      2. Assessing Performance
      3. Identifying Weaknesses
      4. Security Audits
      5. Penetration Testing
      6. Risk Assessments
      7. Vulnerability Scanning
      8. Security Training
    4. Implementing an Agile Release Process for Software and Integrations in a Cannabis Business
      1. Establish a Cross-Functional Team
      2. Create a Roadmap
      3. Develop a Release Strategy
      4. Automate Where Possible
      5. Monitor and Evaluate
    5. In Closing
    6. Feel Free to Download and Share this Article

Building a Technology Vision that’s More than Fluff

Creating a technology vision for a cannabis business IT department is an important part of ensuring the success of the business. To ensure the technology vision is successful, there are several key points that need to be taken into consideration.

This is often put squarely on the shoulders of the IT Manager, and by IT Manger, I mean anyone in a leadership role in the cannabis business’s IT Department. In this article I’ll discuss how this is changed from an event expected from one leader in the organization to a practice that can become a regular part of an IT team’s best practices.

I want to touch on how the needle has moved in regards to running IT departments. Businesses as a whole are moving away from the old command-and-control way of thinking. In the cannabis industry, we still have some of that command in place in the form of compliance to state and local laws related to cannabis. However, cannabis production sits squarely in the domain of agriculture and manufacturing. In the manufacturing domain systems intelligence is regularly moving closer to the machine and the machine operators. This human in the loop approach means that far more of the important decisions are left in the hands of the people who work with the machines daily.

This is not unlike the growing of cannabis. Though the cannabis business should establish Standard Operating Procedures for your grow rooms, the processes that make up those procedures should be coming from those who are most hands-on with the plants. As an IT Manager, you will often find yourself in the difficult position of fulfilling the expectations of cannabis business owners and leaders, local laws and requirements, as well as the needs of your IT teams, which are typically made up of intelligent, and opinionated individuals.

My goal for this quick guide is to give you a few pointers toward processes and tools that should make your life as an IT Manager easier. Much of this about taking some of the old standards of IT Management and addressing them with the newer, and I do think better, ways of working.

What exactly is a technology vision?

A technology vision is a set of goals for the IT department to strive for. It should include both short-term and long-term objectives, as well as a plan to implement those objectives. It should also include strategies for achieving those objectives, such as the use of cutting-edge technologies, automation, and data-driven decision making. Additionally, a technology vision should also include a plan for monitoring progress and making improvements as needed.

In my opinion this shouldn’t be a huge plan followed step-by-step, but should be the foundational document that sets the vision for how an IT department works to achieve the business objectives using technology. This document should basically establish the way you work. There are a number of areas that I believe you should cover, and I will go into those in this document.

Aligning Business Goals to Technology Vision for Cannabis Business IT Managers

Creating a successful technology vision for a cannabis business IT department begins with understanding and aligning the business goals with the technology vision. It is important for IT Managers to consider the short and long-term goals of the cannabis business and how technology can be used to achieve those goals.

To help IT Managers align business goals to their technology vision, here are some key points to consider:

Establishing Clear Objectives

In order to ensure successful alignment of business goals and technology vision, it is important to establish clear objectives. This means identifying the specific goals and objectives of the cannabis business and how technology can support those goals.

It’s not always clear how that can be done. How do you align business goals or desired business outcomes to the actual technology?

I like to use the Opportunity Solution Tree collaborative tool introduced by Teresa Torres to help with this process. This is a product development tool designed to help teams discover opportunities related to a desired business outcome. Once you understand the opportunities in great enough detail, you can then focus on solutions for those opportunities. Using this tool regularly with your IT team makes it easier to tie the solutions to tactical architecture decisions.

Understanding the Technology Needs

Once the objectives are established, IT Managers need to understand the technology needs of the cannabis business. This includes understanding the current technology infrastructure, the necessary hardware and software, and the potential for new technology.

This is one of the areas where you have to take into account the special context of cannabis as a highly-regulated market in states where it’s legal.

When creating a technology vision for a cannabis business IT department, there are several primary technology areas that need to be taken into account. These include:

  • Security: Cannabis businesses must adhere to strict security protocols and adhere to state legal requirements, and to protect customer data and secure the business.
  • Compliance: Cannabis businesses must comply with local, state, and federal laws, as well as any applicable industry regulations.
  • Cloud Computing: Cloud computing offers the cannabis business the ability to scale quickly, reduce costs, and access the latest technology.
  • Business Intelligence: Business intelligence tools can help analyze data and generate actionable insights to help inform decision-making.
  • Automation: Automation can help increase efficiency and reduce costs. Automation solutions can range from simple scripts to complex solutions that automate entire processes like automating cultivation systems and inventory management.
  • Mobile Applications: Mobile applications can help cannabis businesses connect with customers, extend reach, and increase engagement.
  • Reliable point-of-sale systems that work with compliance systems like METRC.
  • Internet of Things (IoT): IoT devices can help cannabis businesses monitor operations, improve customer experience, and increase efficiency.

By understanding the technology needs of the cannabis business, IT Managers can create a technology vision that supports the business goals and objectives.

Planning for the Future

Finally, IT Managers need to plan for the future. This means anticipating changes in the cannabis business and its technology needs, as well as staying up-to-date on the latest technology trends and best practices. This will help IT Managers ensure that the technology vision is in line with the business goals and will allow them to create a roadmap for future growth.

This means tracking news related to the cannabis industry and paying close attention to local and state laws related to cannabis. These can change quickly with each voting cycle.

I want to recommend Wardley Maps here again as a tool to help evaluate new tools and systems. WM gives you a way to look at your customer value chain and determine if adding something to this chain will increase your value proposition in the market. As technology professionals, we’re often capture by the siren’s song of new, shiny objects. Block Chain might seem like a good technology, but do you really have use for it in your cannabis cultivation department? Maybe, there might be some use of it there, but I wouldn’t consider it until I had a chance to sit down with the team and do a few mapping exercises to see where we are and where the new tech could take us.

Assessing Current Systems and Infrastructure for Cannabis Business IT Managers

Cannabis business IT Managers need to assess the current systems and infrastructure in order to create a successful technology vision. This includes understanding the existing hardware and software, and the potential for new technology.

To assess the current systems and infrastructure, IT Managers should take the following steps:

Identifying System Components

IT Managers should begin by identifying the components of the current system and infrastructure. This includes understanding the hardware, software, and other components that are being used in the system.

This is a big undertaking. It’s not something I would want to take on all at once. If you don’t have some type of documentation built around your existing systems, I suggest you start with something small and high-level. I’m a fan of diagrams. And you don’t necessarily need fancy icons that represent specific brands or products. Those might be helpful, but when you’re first discussing what your existing tactical architecture looks like, squares and lines with arrows are a reasonable place to start.

I think this needs to be a collaborative exercise where you include the whole team. This gives someone who may never work in the cultivation part of your business an opportunity to understand what systems and applications are used there.

I would also suggest you avoid discussing any major changes, even though as you go through this exercise you’ll likely find a few things you think need improving. The goal of this process is to inventory what you have, not to try to plan for big updates.

Assessing Performance

Once the components are identified, IT Managers should assess the performance of the system. This includes understanding the performance of the system in terms of speed, reliability, and security.

I think there’s an incremental way to accomplish this. And if I needed to build a strategy for taking on this task, there are two tools I would use.

I would use Wardley Mapping to pinpoint what technology in our customer value chain closely aligns with the customer. Basically, the closer a component is to the customer, the higher priority I would give it. Not that we would ignore the less visible components, because we would definitely want to address those items, as well. But Wardley Maps would help me to pinpoint where to set my backlog work priorities.

The second tool I would use is AWS’s Well Architected approach to systems.

The AWS Well-Architected Framework is a set of best practices designed to help organizations build resilient, secure, and cost-efficient systems on the AWS Cloud. It is a comprehensive approach to cloud architecture that addresses the five pillars of cloud architecture: operational excellence, security, reliability, performance efficiency, and cost optimization.

The framework provides guidance and best practices to help organizations understand the most important architectural considerations and design decisions when using the AWS Cloud. This includes identifying and mitigating potential risks, building secure systems, and ensuring cost-effectiveness.

The framework is based on a set of questions and evaluation criteria that can be used to assess the architecture of a system. The framework also provides a set of tools and resources to help organizations build, manage, and measure their architectures against the five pillars.

The AWS Well-Architected Framework is an excellent tool for organizations looking to build secure, resilient, and cost-efficient systems on the AWS Cloud. By understanding and following the framework’s best practices, organizations can ensure that their systems are optimized for the cloud, and that they can take advantage of the full range of AWS services to maximize their investment.

Even though this was designed by AWS engineers for AWS, it doesn’t mean that it can’t also be applied as a lens to your existing tactical architecture. Even when considering vendor Software as a Service applications, it’s worth asking questions about operational excellence, security, reliability, performance efficiency, and cost optimization.

Identifying Weaknesses

IT Managers should also identify any weaknesses in the system and infrastructure. This includes assessing any potential risks or vulnerabilities that could pose a security concern.

Uncovering weaknesses in cannabis business IT systems and infrastructure is an important part of ensuring the success of the business. To identify potential risks and vulnerabilities, IT Managers should use the following tools and processes.

Security Audits

One of the biggest areas of weakness is in system security. A security audit is a thorough review of the technology used by a business. This includes assessing the hardware, software, and other components of the system, as well as understanding and evaluating the existing security protocols. A security audit can help identify potential weaknesses in the system and provide recommendations for improvements.

One tool the team can use to audit the overall system is to perform an EventStorming session with a focus on security and vulnerabilities. EventStroming can give you a more complete vision of the overall system and how the component part’s communicate and interact.

I don’t like the old way of having a yearly or quarterly big event security audit. I think they’re a waste of time and effort. Usually, some outside firm comes in, does a complete scan of your system using a set of proprietary tools and leaves you with a huge report. You get a big bill and a big report that doesn’t necessarily help you take actionable steps. I’m not saying that partnering with a security firm isn’t a good idea. It can be, as long as the security is a continuous process.

Think about it this way, you’re system is constantly undergoing changes. With each new release of software the security profile of your systems have changed. Do you think doing a yearly evaluation of your system is really going to protect you? It will up until the time you or one of your integrated systems pushes a change out to production. So skip the big yearly audit or assessment and make this a regular part of your team’s way of working.

Penetration Testing

Penetration testing is a process of testing the security of a system by attempting to gain access to the system without authorization. This involves simulating an attack on the system and analyzing the results. Penetration testing can help uncover potential vulnerabilities and assess the effectiveness of security protocols.

Think about making PT a regular part of your software development life cycle (SDLC). If this is only done a few times a year or even a month, you could miss an important issue and leave yourself vulnerable.

Risk Assessments

Risk assessments are a process of identifying, assessing, and managing potential risks. This includes understanding potential threats and evaluating the security of the system. Risk assessments can help IT Managers identify potential weaknesses in the system and develop strategies for mitigating those risks.

This is another big picture item that you could cover with EventStorming and Wardley Maps. Use EventStorming to map out your existing architecture, and then use Wardley Maps to determine the risks of adding this new system or product to your customer value chain.

I think this is so important to the cannabis business, because there is so much at risk. Not only is the business in regular risk of compliance issues, but there are people’s health at risk. Something as simple as a contaminated gummie could critically injure someone. Risk assessment exercises should be a regular part of your processes.

Vulnerability Scanning

Vulnerability scanning is a process of scanning a system for potential vulnerabilities. This involves scanning for known vulnerabilities as well as identifying new ones. Vulnerability scanning can help identify potential weaknesses in the system and provide information about how to remediate those weaknesses.

One of the best new ways of managing this is with a Software Bill of Materials. Java has included a POM for many years, and other software languages have unique ways of keeping up with their library dependencies. Lately, some of the worst attacks have come from contaminated libraries that developers have unknowingly used to help bad guys either access your systems or corrupt your data. Consider adopting an SBOM process for your team.

Security Training

Security training is an important part of any IT system. This includes educating employees on security protocols and best practices. Security training can help employees understand the importance of security and how to protect the system from potential threats.

By using these tools and processes, IT Managers can uncover potential weaknesses in the system and develop strategies for mitigating those risks. This can help ensure the success of the cannabis business’s IT systems and infrastructure.

This is definitely one of the areas where it pays to hire either a managed service to help focus on your security or hire your own security professional. Every IT department should have at least one person whose entire job is to focus on security – this should also include operational technology and hardware. Cannabis businesses are a big target for theft. Because many operate on cash, putting strict processes and procedures around the handling of cash and the technology associated with handling cash should be a high priority.

Implementing an Agile Release Process for Software and Integrations in a Cannabis Business

Once you have a grasp of your existing systems, and a vision for how you can manage change within your environment, it’s time to establish a disciplined, but flexible approach to managing changes to production systems.

An Agile Release Process is a process for releasing software and other integrations in an iterative, incremental manner. It is a popular approach to software development, and it is well-suited to the cannabis business, which often has complex and rapidly changing requirements. An Agile Release Process can help cannabis businesses manage the complexity of their software development, and ensure that their software and integrations are released quickly, efficiently, and reliably.

To put an Agile Release Process into practice, cannabis business IT managers should take the following steps:

Establish a Cross-Functional Team

The first step in implementing an Agile Release Process is to establish a cross-functional team. This team should include members from multiple departments, including IT, operations, and customer service. This team should be responsible for managing the development and release of software and other integrations.

There are a couple of different tools that can help establish what type of teams you need to create. These are reflected in the systems they manage. I recommend every IT Manager read about Team Topologies. In my opinion it’s one of the best books on forming teams that fit into the right type of value chain. Another option is to look at Domain-Driven Design’s approach to building services from a context map. Team building is a big area worth the investment of time to build out.

Here is just a brief description of Team Topologies and Context Maps:

Team Topologies is a methodology developed by Matthew Skelton and Manuel Pais that helps organizations to build effective teams. It is based on the concept of a value chain, which is a way of thinking about the various stages of a process or system. The goal of Team Topologies is to build teams that are optimized for a particular value chain. Each team should be composed of members that have the right skills and experience to effectively manage a specific stage of the value chain. This ensures that teams are able to quickly respond to changes and deliver results efficiently.

Domain-Driven Design’s Context Map is a visual diagram used to represent the various elements of an application or system and their interrelationships. It is used to help teams identify dependencies between components, map out the entire system, and better understand the domain. The Context Map consists of three main components: bounded contexts, bounded contexts relationships, and upstream/downstream relationships. Bounded contexts are sections of the system that are identified based on their purpose and the data that they use. Bounded context relationships are lines connecting different bounded contexts, which represent the interactions between them. Upstream/downstream relationships are arrows that represent the flow of data and control between different bounded contexts.

One thing to keep in mind for the DDD Context Map; even though it states that it represents systems and software, those patterns can also represent teams. If you follow Conway’s Law and recognize that software systems tend to reflect the communication structure of the organization, you’ll realize that you can make your software systems more successful by changing the shape of the organization. Just as an aside, this is why in all of my planning and analysis work I will regularly touch on the importance of Strategic Architecture over Tactical Architecture. Tactical is easy and right when you establish the correct Strategic approach.

Create a Roadmap

The next step is to create a roadmap for the development and release of software and other integrations. This roadmap should include a timeline of when the software and integrations will be released, as well as a plan for how they will be tested and deployed. This roadmap should be updated regularly to reflect changes in the requirements and priorities of the business.

If you document everything we’ve accomplished so far, you now have a roadmap.

Now let me give you my opinion on roadmaps. Like like maps, they are wrong. But they can be helpful. And I believe they are more helpful when the items on the roadmap are focused on establishing a Capability and not some concrete event.

For instance, I’ve seen many roadmaps that look like the following:

  • Q1 – Build a data warehouse using Oracle cloud and then rebuild our standard reports that are Excel into Tableau Reports for the accounting team
  • Q2 – Purchase an ERP solution and integrate it into the rest of our systems
  • Q3, Q4 – Build a coupon and rewards system for our POS system in our dispensaries

You’ve probably seen these types of roadmaps. And admit, because I will too, we’ve all built these type of roadmaps. I am totally guilty of this myself. But that’s an old way of thinking. The new and better approach is to think of your roadmap as a series of capabilities you and your team want to develop. Our newly revised roadmap might look like the following:

  • Q1
    • Achieve the ability to move our disparate data sources to a unified cloud data system in order to meet the business outcome of making our data more accessible to different departments within the organization
    • Achieve the ability to create reports from cloud data that are secured, but still accessible to our various teams – we will start with the accounting team and incrementally convert their old Excel reports to cloud-based reports
  • Q2
    • Understand our organization’s needs related to enterprise resource planning with a organization-wide EventStorming workshop
    • Organize an evaluation team to match our findings from the EventStorming workshop to ERP offerings
    • Achieve the ability to plan, release, and administer an ERP
  • Etc..

In my opinion, the second roadmap is much better. We aren’t focused on the technology or even just the release of the new technology, we’re focused on the abilities and capabilities around the business need. Now that does tie to a technology, but the tech isn’t the first thing we think of. The first thing we think of is meeting the strategic goal and then forming teams, systems, and processes around making that goal a success. This puts into context the idea that we want to push tactical decisions down to the last necessary second. Notice that on my roadmap I didn’t mention product names. I think Oracle is a great product, but by the time we get to actually building a data warehouse, my team might come back and tell me that based on what we’re doing, Oracle is overkill. We would actually be fine using PostgreSQL or MariaDB running as a platform as a service on Azure or AWS. Again, the selection of technology shouldn’t be something we need to call out on our roadmap.

Capability is king here. My team and my department have the skills to build, maintain, and to efficiently and effectively run workloads on a cloud data warehouse is far more impressive than mentioning a piece of technology on your roadmap.

Develop a Release Strategy

Once the roadmap is in place, the cross-functional team should develop a release strategy. This strategy should include a detailed plan for how the software and integrations will be tested and released. This should include a plan for how user feedback will be gathered and incorporated into the release process, as well as how to ensure that the software is secure and reliable.

This is one area where I feel like everyone has reached some level of maturity. Almost everyone has some type of continuous deployment and continuous release process in place. Because cannabis businesses are so highly regulated, many people fear regular releases and they tend to think you need to have a whole gated process with a change management board and a long process before anything goes into production.

That is not the case. What you need are systems and processes in place within your release pipeline that meet the criteria of the compliance requirements. Laws are different for each state or region, so I won’t touch on any one of them here, but I will state that you can put rules and policy into code. And coded policy in my opinion is far more reliable than a group of meeting in a conference room to go through a checklist of systems getting released.

Automate Where Possible

Another important part of implementing an Agile Release Process is to automate where possible. Automation can help reduce the amount of time and effort needed to release the software, as well as reduce the risk of errors. Automation should be used wherever possible, including in the testing and deployment of the software.

I think it’s important to remember that your automation code is just as important as your infrastructure and software code. It should be approached as a team capability. And the team should be involved in selecting the tools and products to make it happen.

Monitor and Evaluate

Finally, the cross-functional team should monitor and evaluate the process on an ongoing basis. This should include tracking the progress of the software and integrations, as well as evaluating the effectiveness of the process. This will help ensure that the process is continually improving, and that the software and integrations are being released in a timely and reliable manner.

By following these steps, cannabis business IT managers can put an Agile Release Process into practice, and ensure that their software and integrations are released quickly, efficiently, and reliably.

And this circles us back to building our technical vision based on desired business outcomes. If you establish desired business outcomes, how do you know you’re meeting those outcomes? How do you know you’re on the right track?

Reporting and feedback loops. You have to make space for regular systems analysis. Where are you today vs. yesterday vs. where you want to be in the future? To do this, you must have the right systems in place. If you’re on the cloud or on-premises you will likely want a tool like Prometheus or DataDog. Most cloud solutions have great built in monitoring. Azure Metrics and logging are great and have a user friendly query language to help administrators build great dashboards. Grafana is a great tool for visualizing time-series data from these systems. These are great tactical solutions, but again I want to emphasize that you’ll need to know your desired business outcomes, how to measure if these outcomes are being met, and information radiators that can focus on these metrics.

In Closing

This document covered the basics for creating a Technical Vision for your cannabis business. I hope that you now see that the Technical Vision can be far more than fluff, but an actual tool for establishing, with the input and the help of your IT team. I also see this as a living document. You should check it into a code repository somewhere. Treat it like any other piece of software. Because with time you’ll think of it as the North Star of your department’s Operating System. It should be reviewed and updated often. It should be something you feel good about handing out to leaders, partners, and especially new employees.

I hope this has been helpful. If you would like further help, please don’t hesitate to put some time on my calendar. I would love to help you and your team build a true Technical Vision.

Feel Free to Download and Share this Article

establishing-a-technology-vision-for-a-cannabis-business-it-department_63a0a181Download

Published by Shawn Deggans

I’m a solution architect with a focus on event-based data platforms using Microsoft Azure Cloud and Open Source technologies. I’ve been developing solutions using web and cloud technologies for over twenty years. Recently, I’ve set my focus on the Controlled-Environment Agriculture (CEA) domain, and I’m building partnerships with individuals and organizations interested in using my skill set to deliver their desired business outcomes. My goals as a consultant and technologist are to help teams better align their technology efforts with business outcomes in a way that is clear and observable through collaborative Domain-Driven Design workshops and DevOps practices. I help deliver solutions that are tailored for the needs of the organizations I serve with a focus on Internet of Things, machine learning, and analytics on Azure Cloud and open source technologies.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: