Getting the CISO to embrace DevOps

Getting the CISO to embrace DevOps

The following is a case study demonstrating the use of Peter Checkland‘s Systems Thinking tool, Soft Systems Methodology (SSM), which is being used to think strategically about a problem situation where the Information Security function/group in a large corporate is being perceived by some members of an executive board to be slowing down the delivery of product and services into a competitive market.

The concerns are being expressed by the directors of product and engineering who have recently had success in laying a foundation for highly collaborative DevOps practice. This foundation has matured over the last year with the result that a number of emerging Continuous Delivery pipelines are now operational for the businesses most strategic online products and services.

This case study describes a problem situation that may be occurring in many large contemporary corporates that have implemented Continuous Delivery and DevOps practice.

This is a part of a series of my blogs on how Systems Thinking tools and methods can be used in a trans disciplinary way within an area of practice. SSM is of interest in the context of DevOps and IT Service Management as it is a systemic method of enquiry that can be used in a learning cycle to get an ever deeper understanding of a perceived problem situation.

A situation where one party imposes their view on the others usually leads a degree of animosity but it also derails a vital cycle of understanding and learning by the entire group. To avoid this common unilateral mode of operation from undermining a learning cycle, SSM looks to use its method to seek accommodations that are acceptable to the issue owners, that they can all live with.

There will rarely be consensus but the accommodations agreed by the facilitation of highly collaborative learning will prevent resentment and allow further learning cycles and further accommodations to be sought, gradually improving the problem situation.

The actors in the intervention :

Client The ACME Corporation executive board
The practitioner An external systems consultant (Available from FrontFive)
Issue Owners DevOps/QA teamProduct/Engineering directorsInformation security staff

Chief Information Security Officer (CISO)

A visual image created by the systems consultant with the input of the product / engineering directors who perceive the problem situation :

Front Five - Rich Picture

(PuppetLabs, 2013)

(InfoSecurity, 2015)

Norms and values analysis :

An analysis of the norms and values of the CISO is done in order to understand how these may be contributing to the complexity of the problem situation. Further social role diagrams may be created for the product and engineering directors as well as development and operations staff members. The interplay between all these social roles becomes useful for learning about the complexity of the norms and values influencing on the problem situation the understanding of which may help guide conversations to seek accommodations.

http://www.frontfive.io/wp-admin/post.php?post=231&action=edit&image-editor

How would the product / engineering directors representing their worldview describe their ideal purposeful activity system to the CISO?

Customer (beneficiary) The beneficiary is the company, Acme Corp, who gets competitive advantage
Active People Development, QA, Operations and Security staff.
Transformation Products and service features which are sitting in a developmental state as inventory in engineering are transformed into a reliable, tested, secure and operationally ready state and delivered quickly to the customer/user.
Worldview The belief that going as fast as possible and beating the competition to market will make the company successful.
Owner The Product and Engineering directors
Environment (constraints) Access to skilled staff resources that can make the product useful, reliable, tested, secure and operationally ready. Staff who can work using an agile methodology and the continuous delivery subsystem.

The product/engineering directors system, enacted by them for the benefit of the company, to get developmental products and service feature inventory from engineering into the hands of the online customer/user [what] by means of having available sufficiently skilled development, QA, operations and security staff who use an agile methodology and the automated continuous delivery subsystem [how] to get a reliable, tested, secure and operationally ready product or service into the hands of the customer/user as quickly as possible [why] in order to beat the competition in the belief that going as fast as possible and beating the competition will make the company successful [worldview].

The systems consultant works with the product and engineering directors to model a system of purposeful activity representing their worldview : 

Front Five - DevOps purposeful activity model

Monitoring controls :

Efficacy Has the developmental product or service inventory been transformed into a useful, tested, secure and operationally ready online product or service that the customer can now use to achieve their desired outcomes?
Efficiency Is the automated continuous delivery subsystem getting the desired features to the market quick enough to satisfy an established demand or to explore the potential for creating a new product / service demand and is it doing so without using skilled knowledge labour for wasteful repetitive tasks?
Effectiveness Is the company getting a competitive advantage in its market?

The intervention discussion to seek strategic accommodations :

The systems consultant convenes a meeting with the product and engineering directors and the CISO. The DevOps, QA and front line security staff also attend this meeting. The purposeful activity model is projected on a screen and compared against the actual problem situation.

The product/engineering directors and CISO (Chief Information Security Officer) discuss :

The CISO does not agree with the declared system worldview!

The worldview he subscribes to is that the products should not be released to the customer until application and data are secure or the risks have been mitigated and/or monitored in order to protect the company from potential reputation damage and litigation.

However, the CISO acknowledges that the real-world situation is very inefficient in the way that the security controls are being considered after the product/service has been developed and that security staff halting the finished product just before it is about to be released to the customer/user causes frustration. He agrees something needs to change and reflects on step 4 of the model to see if there are any accommodations that can be reached.

Strategic accommodations that are agreed after reflection on step 4 :

Description of strategic change Desireable? Feasible?
Distribute security responsibility to the agile team actors rather than having the expertise be in a silo at the end. Embed a security expert in the SCRUM team. Yes – improves efficacy Yes but CISO says although the security expert can be an embedded architect/consultant the expert will not do implementation work as that would be a conflict of interest.
Build security into applications by taking the security delivery requirements into the agile backlog and not bolting them on afterwards. Yes – improves efficacy Yes, CISO says the security expert can be an embedded consultant advising on the creation of a backlog of security requirements
Integrate security testing with modern orchestration tools (Jenkins, Puppet, Chef and/or Ansible) in the existing automated continuous delivery subsystem. Yes – improves efficiency. CISO says, “Yes, automation will prevent repetitive manual work.”

(Cohen, 2015)

The CISO concludes that he also wants to create a purposeful activity model, but modelled to his declared worldview to explore accommodations by the product/engineering directors to problems that he perceives need attention. The systems consultant agrees to start another SSM iteration.

Patrick Hyland, Partner at FrontFive