November 17th, 2021
Q: Just in the context of getting started, you know, where would you sort of approach given that most organisations of a certain size are very siloed in terms of their second and third-level defense?
A: So a few thoughts - usually needs to be a why and that can be triggered by an audit point or some other sort of issue that's arisen. An audit-driven development is a thing that I find can be quite useful when we are establishing this lean control approach.
In the Barclays context, we were harvesting audit points. So I had seven different audit points at one stage running all with the same mitigation actions, which was to adopt elements of this approach. And, that starts to create the right sort of level, of, of energy around this, so you need, there needs to be a clear why, why is this happening, how to get started?
Well, as with any way of working change, we would start small and we'd start with early adopters. And so when I work with information security folk, there is a population amongst, amongst that population, there will be interested folk, they're innovators, they're keen, they understand, new ways of working.
And there will be folk who are a lot more traditional and are a lot more reticent and nervous about it. So you've got a spectrum and that's true in all the different functions. So you're trying to surface. the more innovative folk. You're trying to start small, so you might start with one product area.
So for example, many organisations who have cloud platform teams are building out some sort of landing zone on the public cloud for their IT stuff that generates all kinds of governance, risk, and compliance issues because it's a new technology and none of the old standards work and everyone's scratching their head.
And the second line, I just like causing so much grief because they don't have the technical awareness of the real risks involved. And so starting with a cloud platform team can be helpful pairing them with safety folk, who are just special, you know, just going to get started there. That's one area in which I've seen this work very well. So you can get started small with just one safety team, one product team, and another organisation I'm working with at the moment. We haven't taken the cloud platform, we've simply worked with, a team that is, that is enthusiastic. They're already trying to change the way that they interact with their governance, risk, and compliance colleagues.
There's a lot of safety departments here and you, my lesson from previously is don't start with all of them, so start with a few and it can help to start with the most technical, savvy ones. So the three that I would choose to start with in my first mini safety team with the first product team would typically be information security, IT operations.
If you have a separate operations function that does kind of ITIL governance and service transition stuff, start with them and then enterprise architecture, because the architecture board can often be a complete pain to, you know, to navigate. So, you know, architecture, Ops, and security. They're a good sort of group to start with.
But again, it depends on the organisation I'm working with at the moment, the architecture board has already been resolved. Okay, so they're not the bottleneck anymore. So actually architecture isn't necessarily the one that you need in the team. So it will vary. But you're going to start with just a handful of, you know, three people maybe to start with.
Q: The journey that you went through with Barclays, so you started small, how long did it take to get and like you were saying, this is this at the final stage. This was running across thousands of teams. What was that?
Q: But what happens actually, where the risk and governance and compliance- we live with Excel sheets and PowerPoint to convert docents, and that's not going to be a great developer experience or a product team experience like when it comes to.
Q: Does the model assume that all workers have equal commitments to safety?