Balance Compliance and Experimentation by Joanne Molesky - The Lean Startup Conference 12/11/14
•Download as PPT, PDF•
1 like•958 views
Recommended
Recommended
More Related Content
What's hot
What's hot (10)
Viewers also liked
Viewers also liked (20)
Similar to Balance Compliance and Experimentation by Joanne Molesky - The Lean Startup Conference 12/11/14
Similar to Balance Compliance and Experimentation by Joanne Molesky - The Lean Startup Conference 12/11/14 (20)
More from Lean Startup Co.
More from Lean Startup Co. (20)
Recently uploaded
Recently uploaded (20)
Balance Compliance and Experimentation by Joanne Molesky - The Lean Startup Conference 12/11/14
- 1. 1 Balancing Compliance and Experimentation @jemolesky #LeanEnterprise
- 3. Laws, regulations and management Business Laws & Regulations Frameworks, Standards Mandated Compliance Guidance Influence Influence Influence Management Policies Process Controls
- 4. Avoid risk management theatre 4 • One process to rule them all • Success is following the process • Stops people from getting their work done • Pass the audit • Lack of responsibility
- 5. 5 Everyone owns this
- 6. 6 Finding the Balance - Apply Lean Principles to GRC
- 7. 7 Create a shared understanding
- 8. The way we work should determine controls Taliesen http://mrg.bz.ziSMzq 8 Rollingroscoe http://mrg.bz.vOsu5e Kconnors http://bz/PY1Jni
- 9. 9 Map the value stream • End to end value delivery • Identify times • Encourages collaboration • Measure improvement
- 10. Consider GRC from the beginning 10 • Type of Information • Take a risk based approach • Control access • Mastery and craftsmanship • GRC specialist are part of the team
- 11. Traditional security compliance UAT Test Backlog In dev Analysis Prod CI Code review Manual security testing Pen Test
- 12. Risk based security compliance Security stories, AC Inception Test In dev Analysis UAT Prod High Level – obligations, adversaries, assets, disaster scenarios Threat model & risk matrix Coding guidelines, pairing, code reviews CI Manual security testing Pen test Automated code analysis, security proxy, model verification Logs, Firewall, IDS, WAF,IPS
- 13. Seek controls that maintain flow 13 • Right level of granularity • Decisions by responsible people • Boundaries defined • Risk based controls • Contain the blast area • Use compensating controls
- 14. Create visibility and transparency 14 • Demand participation • Leave a trail of evidence • Visible means visible • Be disciplined, be consistent
- 15. 15
- 16. 16 Experiment - start small and build out
- 17. 17 Gov.uk alpha design principles • Don’t slow down delivery • Decision when they are needed and at the right level • Do it with the right people • Go see for yourself • Only do it if it adds value • Trust and verify https://digitaltransformation.blog.gov.uk/2014/06/24/governance-principles/
- 18. 18 Seek Perfection PatriciaEGreen2 http://mrg.bz/7YvKW7
- 19. 19 Most significant challenges • Organizational structure not designed for fast pace of digital demands • Business process too inflexible to take advantage of new opportunities • Inability to adopt an experimental mind-set that is key for best practices http://www.mckinsey.com/insights/business_technology/The_digital_tippingbusiness_point_McKinsey_Global_Survey_results
- 20. 20 Conclusion Manage risks, not compliance Seek controls that match the way we work Create a shared understanding and cross collaboration Visualize and create flow
- 21. Thank you - Questions? http://bit.ly/leanentp @jemolesky | @barryoreilly #leanenterprise | @jezhumble
Editor's Notes
- http://www.mckinsey.com/insights/business_technology/the_digital_tipping_point_mckinsey_global_survey_results
- Laws and Regulations : Sox, Hippa, Privacy laws, security breach laws, Air transport, Government and Government agencies Frameworks, Standards – Guidance – ISO 270001, ITIL, CobiT, COSO, TOGAF Laws and Regulations – Sox, Privacy Laws, Security breach legislations Frameworks and Standards – CobiT, ISO 27000 series, ITIL, COSO, PCI DSS Policies and Processes – Information Security, Access, Change Management, Solution Delivery Life Cycle Controls – Approvals, reviews, limited access, boundaries
- Reduce risks with smaller decisions with more frequent review Goal is to pass the audit, not reduce the risks Approvals and reviews by busy people or those who don’t have a clue Throwing over the wall Those doing the work are not responsible One process to rule them all Success measured by following the process
- If we leave this to auditors and risk and compliance people to worry about this, we get what we deserve. Our responsibility to understand the obligations and work collaboratively to figure out the best way to achieve this, given our own knowledge and experience. Dirty little secret – Most IT auditors ads GRC people have never actually worked in IT. They don’t understand the process, tools or capabilities to leverage them. It is up to us who are doing the work to educate them. To do that intelligently, we need to understand their language and the intent of the control, not the specific way they think we should meet the controls meet the control.
- http://www.mckinsey.com/insights/business_technology/the_digital_tipping_point_mckinsey_global_survey_results
- Make decision around assumptions how information is presented Based on your ‘experience’ what is the decision? What is the colour represented value -- how much would you bet? Microsoft story -- 1/3 wrong, no impact, add value
- Dirty little secret – Most IT auditors and GRC people have never actually worked in IT. They don’t understand the process, tools or capabilities to leverage them. It is up to us who are doing the work to educate them. To do that intelligently, we need to understand their language and the intent of the control, not the specific way 0t meet the control. Story Suncorp Australian Insurance and Banking company Coming out of a growth strategy which involved acquisitions with multiple brands of insurance and legacy back end systems to support it. Realized growth had to come from another place. Goal move all brands onto one platform - Mainframe. Go from agile to continuous delivery, leverage fewer, stronger, more trusting partnerships with software development partners Story of controls required for ODCs
- End to end value to the customers Identify times, handovers, waiting times and queues Encourage collaboration between functional silos Build empathy, trust, partners and shared understanding In example above, Planning and setup takes 3 – 4 weeks elapsed time, Actual time to do the work – 3 – 4 days, Identify where to start experimenting Scientific based on measurement baseline to improve "In solving problems you get the best outcome by imagining the ideal solution and then working backward to where you are today" –Ackoff Stories Segregation of Duties
- Privacy by Design – consider type of information Access Control – Authentication, Authorization, Accountability Mastery – encryption, vulnerability prevention, design for detection and recovery Security, internal Risk and Compliance part of the team Applicable compliance issues Threat modeling Automated security and compliance testing
- Sony, MoM, UK Gov
- Sony, MoM, UK Gov
- Move decisions to lowest level of responsibility, based on relative risk and defined boundaries Story of PCI and Segregation of duties - Etsy
- Create visibility and transparency into who has done what and when. Leave a trail of evidence Auditor code: ‘If it isn't written, it doesn’t exist’ Demand participation –standups, showcases, pairing exercises, inceptions and iteration planning. Leave a trail of evidence Create visibility Monitors and screens Kanban boards, Lightweight documentation Be disciplined, be consistent
- Add notes regarding the situation
- Transparency - into process and progress - and what is happening Gov UK Digital transformation dashboard https://www.gov.uk/transformation
- http://www.mckinsey.com/insights/business_technology/the_digital_tipping_point_mckinsey_global_survey_results
- Companies with over a billion dollars in annual revenue
- What are the things that need to be considered beyond technology i.e. automation, software craftsmanship Set people up for success i.e. vision statement for you team, define what you believe to be your purpose and engage leadership to get their feedback Consider end to end flow for value i.e. create a value stream map with stakeholders involved to start the understanding and collaboration Get comfortable with uncertainty i.e. create safe-to-fail experiments