applying lean security to the business
TRANSCRIPT
Prepared for DevOps Connect
DevOps initiatives succeed when the business transforms itself and becomes aligned with the desired behaviors.
Prepared for DevOps Connect
Security initiatives fail when the business is misaligned and does not transform itself to achieve desired behavioral norms.
ROOT CAUSE ANALYSIS
Prepared for DevOps Connect
Incentive model is broken
Priorities are misaligned
It’s ultimately about people!
THE SOLUTION: LEAN SECURITY
Prepared for DevOps Connect
It must start by reforming organizational culture
“Security” truly becomes an emergent property
The goal of the Lean Security model is to transform how the business functions.
WHAT IS “LEAN”?
Prepared for DevOps Connect
It’s About Improving Business Management
Reduce Waste Increase Efficiency, Effectiveness
Emphasis on Learning and Legacy (People!)
WHAT IS “LEAN SECURITY”?
Prepared for DevOps Connect
Lean Security is a Business Management Model
In order to “fix” security, we must first fix the organization
Lean Agile / Dev(Sec)Ops TDD
WHAT IS “GENERATIVE CULTURE”?
Prepared for DevOps Connect
• Shift from competition to cooperation• Mindfulness, respect, learning, legacy• Premised on shared stories and history
WESTRUM ON GENERATIVE CULTURE
Prepared for DevOps Connect
“A generative culture will make the best use of its assets, a pathological one will not. "
“A typology of organisational cultures,” R Westrumhttps://www.ncbi.nlm.nih.gov/pmc/articles/PMC1765804/pdf/v013p0ii22.pdf
How Organization Process Information
PATHOLOGICAL BUREAUCRATIC GENERATIVEPOWER Oriented RULE Oriented PERFORMANCE Oriented
Low Cooperation
Messengers Shot
Responsibilities Shirked
Bridging Discouraged
Failure ➔ Scapegoating
Novelty Crushed
Modest Cooperation
Messengers Neglected
Narrow Responsibilities
Bridging Tolerated
Failure ➔ Justice
Novelty ➔ Problems
Highest Cooperation
Messengers Trained
Risks Are Shared
Bridging Encouraged
Failure ➔ Inquiry
Novelty Implemented
AWARENESS
Prepared for DevOps Connect
Discoverability
Collaboration
Integrity vs Despair
Generativity vs Stagnation
Intimacy vs Isolation
Identity vs Role Confusion
Industry vs Inferiority
Initiative vs Guilt
Autonomy vs Shame & Doubt
Trust vs Mistrust
Stages of Psychosocial DevelopmentProposed by Erik Erikson
Communication− Openness− Clarity− Integrity
− Shared Tools / Platforms− Cooperative Spirit− Generative Culture
− Documentation− Networking (human, not IT)− Training
EXECUTIONLean
Test-‐Driven
Dev(Sec)Ops− Systems Thinking− Amplify Feedback Loops− Culture of Continual Experimentation and Learning
− Cooperative/Generative (vs Competitive)
− Shared Values, Principles, Objectives, Risks, Tolerances
− Efficient− Effective− Knowledge-‐creating− Respectful & Mindful− Optimized Quality
MEASUREMENT
MeansMethodMotivation
− Meaningful!
For example…− Mean time to detection− Mean time to response− Mean time to recovery− Mean time to remediation
SIMPLIFICATION
Prepared for DevOps Connect
Lowest common denominator, economic value
When all else fails, go back to Awareness and Execution
Simplification drives improved cooperation
− If too complex, (re)factor, find a better approach
− Find ways to break silos− Take a systemic view
− Identify and address “undiscussable issues”
AUTOMATION
Prepared for DevOps Connect
What can be automated?
Ops / Tech / Process Maturity
What can’t be automated?− Why not?− Human as fail-‐safe− Trust issues: real or
imagined / manufactured?
− Builds, Deployments, Maintenance (CI/CD)
− Workflows− Provisioning
− e.g., if we move to a cloud-‐first strategy, can we actually support that and do it “right” without harming the business?
THANK YOUAndrew Storms, CISSP
@St0rmz / @newcontextnewcontext.com
Ben Tomhave, MS, CISSP [email protected] @falconsview/ @newcontextnewcontext.com
Confidential. Not for public distribution.