Many teams don’t see a way around the speed vs. security or agility vs. governance trade-offs in their enterprise organizations. The speed of modern cloud operations often outpaces control and governance. Cybersecurity teams often become blockers rather than enablers because of misaligned incentives.
Robert Scully, the Cloud Engineering Lead at WPP who presented at HashiDays this year, shared some illustrative fictitious scenarios that nevertheless were inspired by his real-world experiences. In his story, the key component to comprehensive development governance, while still maintaining the developer velocity typical for modern cloud environments, was a platform mindset.
Here are the key lessons he shared on building developer platforms that align governance with agility:
»1. Recognize and accept the tension
There are two competing forces at play — the need for governance (compliance, security, and financial management) and the need for agility (flexibility, creativity, and speed) — and every enterprise struggles to balance them.
Scully calls this push and pull between two equally valid business needs “attractive antagonism.”
“Your practice sits somewhere between these two needs. Serving one more than the other isn’t inherently bad, but sudden changes — such as a new acquisition, signing a client who requires a certificate of compliance, and so on — can influence these forces, which can place your current practice under strain. When these opposing forces are very strong and pull away from each other, that’s when you'll start to see real problems and your common practice may fall out completely. You end up with split processes, special cases for your management, unmanaged areas of your estate, or overcorrection in one direction or another.”— Robert Scully, Cloud Engineering Lead, WPP
Recognizing this dynamic tension is the first step toward aligning processes and creating a system where both governance and innovation can thrive.
»2. Bridge the gap with a developer platform
This natural tension creates a gap that must be bridged. According to Scully, building an internal developer platform can help, because a well-designed platform embeds compliance into automated workflows instead of burdening engineers with manual approvals and siloed processes.
“Your need for governance should be met by how the platform provisions resources, and your need for agility should be met by how the platform exposes this provisioning.”— Robert Scully, Cloud Engineering Lead, WPP
The platform itself becomes the mediator, delivering resources that are both compliant and easy to access.
»3. Treat the platform like a product
A developer platform is like any other software product; it must continuously be improved. “Delivering the platform is a journey, not a destination,” Scully says.
Treating the platform like a software product means applying the same principles developers use every day:
- Version control
- Modularity,
- iterative releases
- User feedback
To succeed, Scully says, “Deliver fast and often, releasing new features as quickly as you possibly can for your users.”
This mindset ensures that the platform will evolve alongside the organization and remain relevant to developers’ changing needs.
»4. Define and deliver “platform products”
At the core of every successful developer platform are reusable, standardized platform products. A platform product is any resource, solution, or service designed to solve a specific developer need in a way that meets organizational requirements.
Examples might include:
- A GitHub repository with built-in branch protection
- A cloud account with preconfigured cost controls and policies
- A secrets engine for managing credentials
By combining multiple platform products, organizations can offer complete, ready-to-use environments, which helps improve developer experience and accelerate velocity.
»5. Standardize workflows with infrastructure as code
Organizations with large, heterogeneous infrastructures need to unify operations around one central platform for various pre-defined workflows. Infrastructure as code (IaC) allows operations to integrate all of their infrastructure within version control and trigger automated deployments, all while maintaining governance.
For 5+ years, Robert Scully has used HCP Terraform for infrastructure as code:
“It [HCP Terraform] offers integrated workflow execution and can integrate directly with your version control systems providing very fast IC development iteration. It manages a private registry where modules or templates can be published and reused. It even supports deploying resources from some templates using no code. … At WPP Enterprise Technology, we treat the delivery of HCP Terraform with this mechanism as one of our core platform products, and we offer this as a platform for use internally by our teams.”— Robert Scully, Cloud Engineering Lead, WPP
By centralizing workflows in HCP Terraform, organizations ensure every deployment is consistent, compliant, and repeatable.
»6. Give developers a reason to use the platform
Even the best platform won’t succeed unless it’s easier to use than bypassing it.
“Your platform must be compelling to use and easy to integrate with. … It must be better than the path of least resistance.”— Robert Scully, Cloud Engineering Lead, WPP
Developers naturally gravitate toward the quickest solution. If the platform makes their jobs simpler, they’ll adopt it willingly.
»7. Deliver incrementally and continuously adapt
Many organizations are tempted to over-engineer their developer platform before launching. Scully says that’s a mistake. “You should not try to solve everything at once or wait until everything is ready,” he says.
A better approach is to deliver early, build confidence by solving developers’ biggest pain points, and expand over time.
Scully says teams should expect a few bumps along the way. “Things might get worse before they get better,” he admitted. “You may end up delivering against multiple different processes, but this shouldn't discourage you from what you're trying to achieve.”
Incremental improvement is how successful platforms gain trust and adoption across the enterprise.
»The five-minute sandbox
Scully also gave a hypothetical example of HCP Terraform workflows for products in action, called: “the five-minute sandbox.”
Through a self-service web portal, developers can request a preconfigured environment that includes a cloud account, code repository, policies, and pipelines, all deployed automatically in minutes.
- A cloud environment
- A Git repository
- Budget controls
- An IaC pipeline preconfigured with just-in-time credentials
- Role access
“All these resources are created and configured via fully automated linked workflows,” Scully says. “They’re ready to use within minutes of the request being made.”
This innovation embodies the ideal balance of governance and agility, empowering developers to experiment quickly without compromising compliance or cost controls:
- Agility: Developers get what they need fast.
- Governance: Everything is centrally visible, consistent, and compliant. Checks are highly automated. Fast-moving templates are required.
»Learn more
By adopting HCP Terraform and treating the platform as evolving software, companies can transform fragmented, ticket-driven processes into cohesive, automated workflows that empower developers while protecting the enterprise.
If you’d like to learn more about how you can eliminate the trade-off between speed and security while also involving compliance and FinOps in a more automated way (to potentially reclaim up to 40% of your cloud budget), read our guide: Optimize cloud operations and ROI with The Infrastructure Cloud.
Watch Scully’s entire presentation here:
