Image

- Incident Detection and Response
- Penetration Testers and Red Teamers
- Cloud Security
- Application Security and DevOps
These issues just exacerbate the talent shortage. But here’s the clincher: hiring more people won’t solve either of these two problems! Instead, the problems persist, and hiring managers just spin their wheels while nothing actually changes. Most people understand the problem of technical debt (although that problem never seems to go away). But WIP? No one talks about this anymore, yet it’s the sole reason that DevOps was born–to reduce Work in Process. The authors of The Phoenix Project applied the concepts of lean manufacturing and reducing WIP outlined in The Goal to the business of technology and the Agile development style. And as we all know, the DevOps methodology has forever changed how software is developed. But here we are in 2019 with more WIP in our security processes than vulnerabilities in the National Vulnerability Database. Why do I say that? Try this exercise: ask a colleague who’s not in the security department how they would file a security exception at your company. I’d bet two dozen long johns that they wouldn’t even know how to start the process. And if you show them the form, I’d bet another dozen fraparapa coffee drinks they couldn’t figure out how to fill out the form without having to ask a bunch of questions and chase down someone from security who can help answer questions. So, what happens instead? Product teams just wait until the last minute (i.e. right before go-live) and then file the exception form. And now security is in a bind. I mean they can’t say “No, you didn’t follow the rules” and risk missing the go-live date. Not to mention security ends up looking like it’s just an impediment to the business. Instead, the security team scrambles to get the paperwork in place which no one thinks about afterwards and probably isn’t even being tracked or monitored on the business side. This is but one example (and one that most of us can identify with). But multiply that by the number of products and version launches at larger companies. How many security folks get pulled into these quagmires every week and spend the better part of their time dealing with something that should be automated in an online form? The other problem, technical debt, is a close cousin to WIP. There aren’t enough resources to replace legacy infrastructure. So, instead, the security team has to be vigilant and monitor it, as well as report on it annually and kick and scream. But it’s a never-ending problem. Technical debt used to be synonymous with XP or Windows 2000. Now it means Windows 2003—next, it’ll be Windows 2008 and so on. Of these two issues, WIP is in the hands of security (with the help of IT) to solve. There are two types of processes which security teams need to build and streamline: internal processes to the security team and processes that other parties outside of security need to follow. WIP can be reduced in both by identifying constraints and working with them. Just like in lean manufacturing, reduce batch sizes by reducing process steps into granular chunks and finding ways of bypassing the constraints. It’s really not hard, and doing so provides tangible results and measurable productivity increases. Better yet, more efficient processes mean that your senior staff can get more real work done, which should lead to longer tenures. It will allow your team to get more done without needing to hire a lot more people.There are actually two major issues at play within the security and technology groups in most companies: 1) They have too much WIP (Work in Process), and 2) They have too much technical debt.
About the Author: Jeffrey Groman, CISSP, is the founder of Groman Consulting Group, dedicated to helping organizations identify and resolve their highest cybersecurity risks. Groman has worked in the security field for more than 20 years. As a cybersecurity consultant, he has guided major corporations, including banks, insurance companies, and software providers through risk prevention and rapid response to incidents and breaches. Groman is passionate about the field of cybersecurity and partnering with clients to find solutions to complex issues. His book “Avoid These 11 Pitfalls and Minimize the Pain of Your Next Data Breach” is designed to help organizations learn from his years of real-world experience. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.