Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

DevOps improves security

Justin Arbuckle | June 11, 2015
Editor's note: After publishing CSO's original story, we asked the two main sources to write first-person accounts of the standing of DevOps in security. You can find the counterpoint here.

But how effectively has this idea stood up to testing since 2001 when it was first published? Not well. An article by Steven Leavit of Freakonomics fame, tracked the performance of companies praised in "Good to Great" and found that many had performed poorly. Examples being, Fannie Mae (!), Circuit City and Wells Fargo. So is the idea of "the Big idea" (or Hedgehog concept) dead?

Phil Rosenzweig, author of "The Halo Effect" thinks so. He cautions against these pat cause and effect explanations of performance. For me, the core idea was that resilience is necessary since success is not absolute. The parameters of success will be a function of the market and that changes pretty rapidly. Bad things happen, or a "Black Swan" as Nassim Taleb has it. Taleb's idea of anti-fragility is also very powerful. Consider an organization that becomes improved through change. Like a leather satchel that is broken-in and improves with age, rather than a crystal wine glass that ceases to function after a small knock.

What do resilient organizations look like? How do we organize to enable us to improve under threat? Is resilience the new 'hedgehog concept' and where does security fit in?

My thesis is that if there is a 'hedgehog concept' in modern business it is velocity and not resilience. But that resilience (including with respect to security threats) requires fox-like behavior in order to produce reliable business performance.

"Reliability depends on the lack of unwanted, unanticipated, and unexplainable variance in performance" Eric Hollnagel said.

Highly reliable organizations

Karl Weick is an organizational theorist who has studied how organizations make decisions and process information with which to make those decisions. Much of this work has been in the area of highly reliable organizations.

A useful definition of reliability comes from another academic, Paul Schulman, "The major determinant of reliability in an organization is not how greatly it values reliability or safety per se over other organizational values, but rather how greatly it disvalues the mis-specification, mis-estimation, and misunderstanding of things."

Here are some examples of the kinds of organizations that promote this kind of behavior:

  • Naval aircraft carriers
  • Chemical production plants
  • Offshore drilling rigs
  • Air traffic control systems
  • Incident command teams
  • Wildland firefighting crews
  • Hospital ER/Intensive care units

A famous study of a failure of reliability is the Space Shuttle Columbia explosion on re-entry into the Earth's atmosphere on Feb. 1, 2003. The explosion of the shuttle was caused by the breakage and collision of tiles on a wing of the shuttle. At launch, some damage to the tiles was noted. Some engineers at NASA believed that the damage to the wing could be catastrophic but their concerns were not addressed in the two weeks that Columbia spent in orbit because management believed that even in the case of major damage there was little that could be done to fix it. So how can an organization fail to respond to this kind of information?


Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.