#RSAC

SESSION ID:SESSION ID:

#RSAC

Ben Doyle

Utilising Agile and LEAN Concepts to Run an Effective Security Team

SDS1-F04

CISO, Asia PacificThales

#RSAC

CONFIDENTIAL

#RSAC

#RSAC

#RSAC

#RSAC

#RSAC

Keep it short with a well defined agenda

Long conversations get kicked out to a different meeting later1 minute - Operational Health of Security Systems2 minutes - Review daily reports2 minutes - Malware threats in last 24 hours2 minutes - Network threats in last 24 hours2 minutes - Open Source Threat News in last 24 hours

Meeting set at 9:45 each morning for 15 minutes

As long as all information is prepared then it’s easy to fit everything in

Standup AGENDA

#RSAC

Use Jira as a project/task management tracking systemGroup small tasks into Story’s which may be part of a larger Epic— Test and Deploy latest AV engine (task)— Anti-Virus Endpoint Software Maintenance (story)— End-Point Security Management (epic)

This allowed us to stop forgotten about things that needed to be done.

No priority was planned on what was done each week, we just used Jira to track it

JIRA – First Steps

#RSAC

Plan to move to sprint so we can define what we wanted to complete every 2 weeks

Requires focus on working on sprint tasks everyday

Three months before starting sprints I asked team to define at stand-up meeting each day the one thing they will complete that day.

This is about building a habit

After 3 months we started to populate 2 week sprints with tasks we thought we could achieve

JIRA – SECond STEP

#RSAC

Sprint – Burn Down Graphs

185 issues/tasks created since the start

115 issues/tasks closed since the start

#RSAC

LEAN – Next Evolution

#RSAC

Why people don’t find yearly objectives of value

Objectives don’t reflect reality by the end of the yearUnplanned business projects consume all the time No planning on how and when to implement the objectivesEmployees can not see how their objectives link to company strategy

Value of objectives reduces because the failed outcome is the same each yearHoshin Kanri provides a structure to tie employee milestones to management milestones, to company strategy

Yearly Objectives

#RSAC

Team Managers Objectives

Team Member 3 Objectives

#RSAC

Hoshin process added structure to the yearly objective settings

Team members found more value in understanding how activities linked together

Must use process in anger to gain understanding

Can be frustrating at first

One remaining missing piece to puzzle

How do you link objectives to Sprints in Jira?

Hoshin Outcomes

#RSAC

#RSAC

3

1

2 4 5

6

7

STRATEGY

OBJECTIVES

GOALS

TASKSSPRINTS

8 91 2 43

1 2 3 4

#RSAC

Apply What You Have Learned Today

18

Next week you should:Start doing a daily standup (just start; the agenda can evolve)

In the first three months following this presentation you should:Consider how you give the team visibility of all tasksConsider if you can organise tasks into sprints to prioritise completion.

Within six months you should:Map your teams objectives to a yearly schedule for implementationOrganise at a minimum, quarterly objective reviews

#RSAC#RSAC

Thank You!