1

Balancing

Compliance and

Experimentation

@jemolesky #LeanEnterprise1

2

Understanding

Compliance

Business

Laws & Regulations

Laws, regulations and management

Frameworks, Standards

Mandated Compliance

Guidance

Influence

Influence

Influence

Management Policies Process Controls

Avoid risk management theatre

4

• One process to rule them all

• Success is following the process

• Stops people from getting their work done

• Pass the audit

• Lack of responsibility

5

Everyone owns this

6

Finding the Balance -Apply Lean Principles to GRC

7

Create a shared understanding

7

Taliesen http://mrg.bz.ziSMzq

The way we work should determine controls

8

Rollingroscoe http://mrg.bz.vOsu5e

Kconnors http://bz/PY1Jni

9

Map the value stream

• End to end value delivery

• Identify times

• Encourages collaboration

• Measure improvement

Consider GRC from the beginning

10

• Type of Information

• Take a risk based approach

• Control access

• Mastery and craftsmanship

• GRC specialist are part of the team

TestUAT

Traditional security compliance

Backlog

In dev

Analysis

Prod CI

Code reviewManual security

testing

Pen Test

Security stories,

AC

Risk based security compliance

Inception

Test

In dev

Analysis

UAT

Prod

High Level – obligations, adversaries, assets, disaster scenarios

Threat model & risk matrix

Coding guidelines,

pairing, code reviews

CI

Manual security testing

Pentest

Automated code analysis, security

proxy, model verification

Logs, Firewall,

IDS, WAF,IPS

Security stories,

AC

Seek controls that maintain flow

13

• Right level of granularity

• Decisions by responsible people

• Boundaries defined

• Risk based controls

• Contain the blast area

• Use compensating controls

Create visibility and transparency

14

• Demand participation

• Leave a trail of evidence

• Visible means visible

• Be disciplined, be consistent

15

16

Experiment - start small and build out

17

Gov.uk alpha design principles

https://digitaltransformation.blog.gov.uk/2014/06/24/governance-principles/

• Don’t slow down delivery

• Decision when they are needed and at the

right level

• Do it with the right people

• Go see for yourself

• Only do it if it adds value

• Trust and verify

18

Seek Perfection

PatriciaEGreen2 http://mrg.bz/7YvKW7

19

Most significant challenges

http://www.mckinsey.com/insights/business_technology/The_digital_tippingbusiness_point_McKinsey_Global_Survey_results

• Organizational structure not designed for

fast pace of digital demands

• Business process too inflexible to take

advantage of new opportunities

• Inability to adopt an experimental mind-set

that is key for best practices

20

Conclusion

Manage risks, not compliance

Seek controls that match the way we

work

Create a shared understanding and cross

collaboration

Visualize and create flow

Thank you - Questions?

@jemolesky | @barryoreilly

#leanenterprise | @jezhumble

http://bit.ly/leanentp