Todd Grotenhuis

23 Mar 2021

Lean Security - Introduction

A little while back, I was having a conversation with my company’s CTO. We were discussing what engineering behaviors we wanted to encourage to continue to promote trust and safety.

How do we build in helpful behaviors? How do we make doing the right thing easy? How do we make things repeatable, scalable, and resilient? How do we spend our time on the most valuable things?

There are, of course, multiple interesting answers to these questions and many things our teams are doing to excel in these areas. But one of the things that came out of this discussion was that our CTO was having engineering leaders go back and read the (now classic) book, Lean Software Development: An Agile Toolkit by Mary and Tom Poppendiek.

So, I decided to do the same, and I also planned to share the lessons with my direct team (of Business Information Security Officers) and the broader team of Risk & Security. One of the BISOs on my team (who has also read the book) has also volunteered to work with me on materials. We’ve got a great partner, too, who will help us turn the lessons and principles into handy resources that the broader team can use.

So what is this writing for, then? This is my out-loud pre-work before we make those materials for the team.

I’m calling this series “Lean Security” instead of “Lean Software Development” because I’m coming at it from these two angles:

  • What do risk & security professionals need to understand about their product & engineering customers?
  • What elements from Lean Software Development also apply to security practices & products?

We have to be careful with the second bullet. Why? This is covered in the introduction of the book:

Lean Software Development.png


What’s the difference, you might ask?

Lean Software Development (2).png


With that in mind, we’ll focus on the principles. We’ll reflect on how security practitioners can be good partners with alignment to people practicing Lean Software Development. We’ll reflect on what security Practices we might follow to carry out lean Principles.

Here’s the refresher of the Principles:

  1. Eliminate Waste
  2. Amplify Learning
  3. Decide as Late as Possible
  4. Deliver as Fast as Possible
  5. Empower the Team
  6. Build Integrity In
  7. See the Whole

Future posts in the series will cover each principle.

I’m happy to hear your thoughts, questions, or insights along the way!


tagged: Security



Originally posted at Hey World