balance compliance and experimentation by joanne molesky - the lean startup conference 12/11/14
TRANSCRIPT
1
Balancing
Compliance and
Experimentation
@jemolesky #LeanEnterprise1
2
Understanding
Compliance
Business
Laws & Regulations
Laws, regulations and management
Frameworks, Standards
Mandated Compliance
Guidance
Influence
Influence
Influence
Management Policies Process Controls
Avoid risk management theatre
4
• One process to rule them all
• Success is following the process
• Stops people from getting their work done
• Pass the audit
• Lack of responsibility
5
Everyone owns this
6
Finding the Balance -Apply Lean Principles to GRC
7
Create a shared understanding
7
Taliesen http://mrg.bz.ziSMzq
The way we work should determine controls
8
Rollingroscoe http://mrg.bz.vOsu5e
Kconnors http://bz/PY1Jni
9
Map the value stream
• End to end value delivery
• Identify times
• Encourages collaboration
• Measure improvement
Consider GRC from the beginning
10
• Type of Information
• Take a risk based approach
• Control access
• Mastery and craftsmanship
• GRC specialist are part of the team
TestUAT
Traditional security compliance
Backlog
In dev
Analysis
Prod CI
Code reviewManual security
testing
Pen Test
Security stories,
AC
Risk based security compliance
Inception
Test
In dev
Analysis
UAT
Prod
High Level – obligations, adversaries, assets, disaster scenarios
Threat model & risk matrix
Coding guidelines,
pairing, code reviews
CI
Manual security testing
Pentest
Automated code analysis, security
proxy, model verification
Logs, Firewall,
IDS, WAF,IPS
Security stories,
AC
Seek controls that maintain flow
13
• Right level of granularity
• Decisions by responsible people
• Boundaries defined
• Risk based controls
• Contain the blast area
• Use compensating controls
Create visibility and transparency
14
• Demand participation
• Leave a trail of evidence
• Visible means visible
• Be disciplined, be consistent
15
16
Experiment - start small and build out
17
Gov.uk alpha design principles
https://digitaltransformation.blog.gov.uk/2014/06/24/governance-principles/
• Don’t slow down delivery
• Decision when they are needed and at the
right level
• Do it with the right people
• Go see for yourself
• Only do it if it adds value
• Trust and verify
18
Seek Perfection
PatriciaEGreen2 http://mrg.bz/7YvKW7
19
Most significant challenges
http://www.mckinsey.com/insights/business_technology/The_digital_tippingbusiness_point_McKinsey_Global_Survey_results
• Organizational structure not designed for
fast pace of digital demands
• Business process too inflexible to take
advantage of new opportunities
• Inability to adopt an experimental mind-set
that is key for best practices
20
Conclusion
Manage risks, not compliance
Seek controls that match the way we
work
Create a shared understanding and cross
collaboration
Visualize and create flow
Thank you - Questions?
@jemolesky | @barryoreilly
#leanenterprise | @jezhumble
http://bit.ly/leanentp