applying lean security to the business

A Lean Security Firm

Lean Security:Applying Dev(Sec)Ops to the Business

Prepared for DevOps Connect


DevOps initiatives succeed when the business transforms itself and becomes aligned with the desired behaviors.


Security initiatives fail when the business is misaligned and does not transform itself to achieve desired behavioral norms.

ROOT CAUSE ANALYSIS


Incentive model is broken

Priorities are misaligned

It’s ultimately about people!

THE SOLUTION: LEAN SECURITY


It must start by reforming organizational culture

“Security” truly becomes an emergent property

The goal of the Lean Security model is to transform how the business functions.

WHAT IS “LEAN”?


It’s About Improving Business Management

Reduce Waste Increase Efficiency, Effectiveness

Emphasis on Learning and Legacy (People!)

WHAT IS “LEAN SECURITY”?


Lean Security is a Business Management Model

In order to “fix” security, we must first fix the organization

Lean Agile / Dev(Sec)Ops TDD

WHAT IS “GENERATIVE CULTURE”?


• Shift from competition to cooperation• Mindfulness, respect, learning, legacy• Premised on shared stories and history

WESTRUM ON GENERATIVE CULTURE


“A generative culture will make the best use of its assets, a pathological one will not. "

“A typology of organisational cultures,” R Westrumhttps://www.ncbi.nlm.nih.gov/pmc/articles/PMC1765804/pdf/v013p0ii22.pdf

How Organization Process Information

PATHOLOGICAL BUREAUCRATIC GENERATIVEPOWER Oriented RULE Oriented PERFORMANCE Oriented

Low Cooperation

Messengers Shot

Responsibilities Shirked

Bridging Discouraged

Failure ➔ Scapegoating

Novelty Crushed

Modest Cooperation

Messengers Neglected

Narrow Responsibilities

Bridging Tolerated

Failure ➔ Justice

Novelty ➔ Problems

Highest Cooperation

Messengers Trained

Risks Are Shared

Bridging Encouraged

Failure ➔ Inquiry

Novelty Implemented

AWARENESS


Discoverability

Collaboration

Integrity vs Despair

Generativity vs Stagnation

Intimacy vs Isolation

Identity vs Role Confusion

Industry vs Inferiority

Initiative vs Guilt

Autonomy vs Shame & Doubt

Trust vs Mistrust

Stages of Psychosocial DevelopmentProposed by Erik Erikson

Communication− Openness− Clarity− Integrity

− Shared Tools / Platforms− Cooperative Spirit− Generative Culture

− Documentation− Networking (human, not IT)− Training

EXECUTIONLean

Test-‐Driven

Dev(Sec)Ops− Systems Thinking− Amplify Feedback Loops− Culture of Continual Experimentation and Learning

− Cooperative/Generative (vs Competitive)

− Shared Values, Principles, Objectives, Risks, Tolerances

− Efficient− Effective− Knowledge-‐creating− Respectful & Mindful− Optimized Quality

MEASUREMENT

MeansMethodMotivation

− Meaningful!

For example…− Mean time to detection− Mean time to response− Mean time to recovery− Mean time to remediation

SIMPLIFICATION


Lowest common denominator, economic value

When all else fails, go back to Awareness and Execution

Simplification drives improved cooperation

− If too complex, (re)factor, find a better approach

− Find ways to break silos− Take a systemic view

− Identify and address “undiscussable issues”

AUTOMATION


What can be automated?

Ops / Tech / Process Maturity

What can’t be automated?− Why not?− Human as fail-‐safe− Trust issues: real or

imagined / manufactured?

− Builds, Deployments, Maintenance (CI/CD)

− Workflows− Provisioning

− e.g., if we move to a cloud-‐first strategy, can we actually support that and do it “right” without harming the business?

THANK YOUAndrew Storms, CISSP

[email protected]

@St0rmz / @newcontextnewcontext.com

Ben Tomhave, MS, CISSP [email protected] @falconsview/ @newcontextnewcontext.com

Confidential. Not for public distribution.

applying lean security to the business

Technology