Investigating Policy Violations – Investments Unlimited: Chapter 2

Welcome to the second installment of our series based on the book Investments Unlimited: A Novel about DevOps, Security, Audit Compliance, and Thriving in the Digital Age. Written by Helen Beal, Bill Bensing, Jason Cox, Michael Edenzon, Tapabrata Pal, Caleb Queern, John Rzeszotarski, Andres Vega, and John Willis.

Last time, Susan held an explosive all-hands meeting as her executive team exchanged blame over IUI’s governance crisis. Now, intrepid engineer Michelle is digging deeper to pinpoint exactly which IT policies have been violated. But will senior leaders heed the painful truths?

Tuesday, March 29th (continued)

“Okay everyone, let’s do this!” Tim announced. He was standing at the front of a conference room crammed with VPs and SVPs. He had been in meetings like this many times before. Everyone was here to defend their territory, to just say they were part of it, or to sit back, listen, and then complain later.

Tim looked around the room. Carol, the VP of Engineering Digital Banking, was seated right across from him, and Bill was seated across from Jada. Each of the political nemeses were now face to face without Susan refereeing.

Let the melee begin, he thought, was tamping down his feigned enthusiasm.

“Carol, let’s get you up to speed,” Tim began. “Jada, Bill, Jennifer, and I met with Susan earlier today regarding the MRIA we received. Has Jennifer filled you in on the conversation?”

“Yes, yes, Jennifer and I met earlier, and she gave me the rundown. If I understand it correctly, we shot ourselves in the foot by not responding adequately to these MRAs over the past twelve months. I think it was something like fifteen MRAs that either we didn’t respond to or our response was sub par?” Carol shared.

“That’s right,” Tim responded. “Today’s agenda is simple. We must compile a list of the findings. We will then review this list with Susan and our progress on addressing the actions in the weekly huddles with her and, likely, an external audit team, until we submit our response to the regulators in three months.”

Bill quickly interrupted. “What do we do about the big release? Our teams have been working on Project Prisma for the last few quarters. We can’t cancel that.”

“Really? What do we do when we’re shut down?” Jada shot back.

“Obviously we need to keep the business running while addressing the MRIA,” Tim jumped in, hoping to quell yet another fight between Product and Risk. 

“Let’s take a step back. What kept us from addressing these issues right up front? Why haven’t we responded to the MRAs sufficiently? What’s the bottleneck?”

Bill furrowed his brow. “Are we talking about the MRIA or the MRAs? I’m totally confused now.”

“If we had responded to the MRAs in time and adequately, we wouldn’t have the MRIA.” Tim sounded a little exasperated.

“Well, we did push back on several of these MRA findings,” Carol spoke up. “We asked questions on the ones that don’t make sense or don’t apply. But we got radio silence. Zero response!” She turned to Jada. “We get no help from the Risk or Audit teams.”

Jada looked puzzled. 

Carol looked back at Tim. “See?! That’s the problem. We not only have to manage our engineering projects but we have to shepherd all this paperwork to get stuff done here. I don’t have enough people to do that. And it sure isn’t in our backlogs.”

“Yes, yes, I get it!” snapped Tim. “I understand the bickering, but that isn’t helping right now. We are here today to identify the issues raised in MRAs that led to this MRIA and then report back to Susan.” Tim felt like a broken record.

Carol sighed. “It always falls to Engineering to fix everything. I won’t have all the blame game going against my developers. Engineering is about building things, building bridges across seemingly impossible problems and arriving at new destinations. I know some people here have little appreciation for the role, but there are great rewards in seeing good outcomes. 

“I’m inviting Michelle, one of my senior staff engineers, to this meeting,” Carol announced. “She has historically raised compliance concerns, and she’ll be an asset to this conversation.” Carol turned to her phone and typed a message on the inter-office chat system.

“It’s terrifying that Engineering and Product have no clue how to manage risk,” Jada said, warming up her artillery.

“Isn’t that your job?” Bill responded with a smug smile.

“Ugh.” Tim sat down. It looked as though he had given up on refereeing the meeting. The conversation went on like this for several more minutes, a constant stream of back and forth, not one of the prize-fighters addressing the single action for the meeting that Tim had laid out.

“Okay, we aren’t getting anywhere,” Tim said loudly, raising his arms to quell the discussion that had risen several octaves in the last five minutes alone. “So much complaining,” he stated, as if he epitomized a glass house. “You all are starting to sound like my kids fighting each other when I tell them to clean their room. I’m always amazed at the big mess they create while trying to clean up the small mess. Truth is, it’s simply because they spite each other rather than work together.”

Michelle arrived like a whirlwind and the room went silent. Her arms were full of a laptop, tablet, paper notebook, and pen. She sat down next to Carol and hastily arranged her stuff on the table. Her long black hair was pulled back into a ponytail and her eyes were bright. She looked poised for action and clearly had something to say.

Carol introduced her to the room, most of whom had never met or worked with her directly. “Michelle is one of my best engineers, despite the fact that she’s been at IUI the shortest of anyone else in this room. But there’s no doubt in my mind that she needs to be here. Since Michelle joined IUI from a smaller company, she’s brought with her a youthful energy and knowledge of the latest ways of working. She doesn’t shrink from expressing her opinions, even to senior leadership.” Carol looked pointedly around the room. “She’s a change agent. And that’s exactly why Jason had recommended her for the job, and why we need her to help with this mess.”

“But does she have the necessary experience . . .” Jada began.

“After she joined IUI as a junior engineer, Michelle soon took on the mantle of security liaison for the entire Engineering team,” Carol interrupted. “She’s worked with Tim’s group conducting code reviews of applications all across IUI. And she’s been responsible for answering questions that come up during PCI DSS compliance reviews. She even coauthored the annual state of security report.”

“Okay, okay,” Jada said. “Sounds like she’s a good person to help us out. Let’s hear what she has to say.” 

“I knew this was going to happen,” Michelle said firmly and succinctly. “I sent out a memo months ago warning everyone about this exact scenario, but everyone was too busy to pay attention? Well, here we are. I told you that our manual, one-size-fits-all security review with IUI’s large portfolio of applications was a disaster waiting to happen. Our software development life cycle risk reduction practices are just too immature. And on top of that, we’ve been ignoring the findings from our own Audit team.”

Bill snapped in response. “If Security and Audit would get us a unified set of requirements and work with us to comply without slowing us down so much, we’d be in a better place.” Bill’s frustration was evident in his voice and on his face. “We’re constantly balancing competing requirements for the IUI portfolio. What we need to be doing is delivering value to our customers. You try doing that while juggling competing priorities from the business.”

“Bill, not to be too much of a punk, but I do that. Me! It all rolls downhill, and guess who has two thumbs and is at the bottom? This person,” Michelle said, her thumbs pointing at her face as she stood up for herself. Carol smirked.

A short, tense pause was felt in the room. “Audit doesn’t have requirements,” Jada broke in. “Audit’s role is simple. We look at the controls, what IUI says it should do to manage risk, and compare it to what we actually do. Audit doesn’t make the rules—heck, they don’t even recommend controls. Audit answers the question: Is IUI doing what they say they should be doing?”

“That’s not true. This time last year I remember getting a long list of ‘thou shalts’ from Audit. It’s like you all intentionally keep the details to yourself and then slap our hands when we don’t read your minds!” Bill shot back. “If I can’t get requirements from you, then where do we get them from?”

Tim quickly interrupted, “Jada, Bill  .  .  .  hold those thoughts. We’re supposed to report to Susan on the MRIA. We need this exact conversation but not right now.”

Michelle quickly followed up. “I suggest we break down the audit finding into stages and then try to understand what technology and process improvements need to be applied.” She opened her laptop to begin reading the summary of the findings.

“Michelle, I appreciate the enthusiasm, but let’s take this up a level,” Tim replied. “The MRIA has summarized all the previous findings. It states here in the Executive Summary: Inconsistent process, ineffective in ensuring security and compliance, resulting in unauthorized and vulnerable software with significant number of defects being released to production.”

“That tells us nothing!” Michelle stated passionately. “Inconsistent process? Well, hashtag-facepalm, duh. This is only telling us what we already know.” Frantically scrolling through the report on her screen, Michelle followed up with, “Where in here do they tell us specifically what we need to fix?”

“They don’t and they won’t,” replied Jada. “That report only tells us what we already know: we aren’t following our own processes, and our processes may be missing something. It’s our job to respond with what we will do to address that concern. Where are the teams storing their processes these days? The Risk organization stores all its information and tracking details in our GRC system.”

Just mentioning the Governance, Risk, and Compliance system caused an audible groan in the room. Jada didn’t even pretend to be shocked. Her own teams even complained about the GRC system and its impossible user interface.

“Engineering teams document their processes in markdown and source control them in our Git repositories. The same area where we store code,” Michelle responded.

“Security is supposed to capture info and store it in the knowledge management module of our internal service system,” Tim added.

“Product tracks all of its requirements in our ticketing system,” Bill said.

“Four organizations and four different places to store information. That seems like a red flag,” Carol said. “Michelle, how do the engineers use each of these systems?”

“Engineering takes its marching orders from the ticketing system the Product team uses. We live our lives in that system. In general, no one in engineering knows about the GRC system. Nor do they care. I only know about it by researching compliance issues we had with a release a couple quarters ago. As for the knowledge management system, well  .  .  . ” A sudden pause filled the room, then Michelle continued. “We know about it, and most of us have access. Although we don’t use it. Most of the information is incomplete, out of date, or inaccurate. If we have a security issue or question, we back channel it. If we can’t back channel it, we consider it a good old college try, then move on. Our best security advice mostly comes from internet searches.”

Tim barely managed to keep a straight face as he heard Michelle’s last comment.

Carol said, “If you’re the most in-the-know person, and this is how you operate, this looks like something we need to consider. How can we ever do what we say we are doing if we can’t figure out where to go to do the things we need to do?”

“I swear I read that same sentence in a Dr. Suess book before,” Bill quipped.

“Our response to Susan is becoming a bit clearer now,” Tim interjected. Everyone turned their heads toward him, all with confused expressions. “We can’t tell her what’s wrong when we collectively don’t know specifically what the issue is. All we know is, somehow, someway, the full process is broken. Bits and pieces may work in silos, but it doesn’t work as a full system, and I’m broadly speaking when I use the word ‘system.’”

“Then what should our response be?” Jada asked everyone around the table.

“I have an idea,” Tim said, regaining control of the conversation. “Michelle has the best grasp on how things operate. She has proven she’s able to work across all of our areas.” He looked at Michelle. “Michelle, how long would it take you to dig deeper, read the specific MRAs, and come up with a current state and the basis of a proposal for a future state?”

Feeling a bit under the gun, Michelle responded, “Are you asking me to figure out how to respond to the MRIA?”

“No, not at all,” Tim replied. “Think of it as an outline with a sole focus on listing the specific issues. We’ll collectively build a response, but first, and to your point earlier, we need specifics.”

“Okay, sure. What’s the timeline?” Michelle asked. 

“Today is Tuesday, and the weekly huddle is every Thursday,” Tim said.

“Well, we won’t have the details this Thursday. I don’t think that any quality research can be done with what remains of today and tomorrow.”

“Yes, I agree,” Tim interrupted. “Let’s meet next Wednesday, same time and place. That gives you a week. Remember, we aren’t looking for solutions right now; we’re simply looking for an outline. The best outline would be based upon, and I’ll restate what Jada said earlier, what we say we should be doing and what we are, or are not, doing.”

All eyes were on Michelle. She sat there deep in thought. She didn’t appear to be under pressure. Rather, she appeared to contemplate if the time was satisfactory for the required research. A few seconds passed as if they were ten long minutes.

“Carol, Bill, I need to offload some work to the team today. To make this happen, this needs to be my only focus. I have enough research so far that I’m confident I can have an outline by next Wednesday if I’m not also trying to do other work.” 

“Okay, good. Remember, while you’re accountable for this, you don’t have to be the only person to actually do the work. Bill, can you assist Michelle?” Tim asked.

Bill looked bewildered. His organization’s backlogs were so backed up that each backlog had a backlog item to review the backlog! He had his own process issues to figure out with Marketing, Sales, and Finance. But Bill knew this was not a question but a political “volun-told” situation. He didn’t have to agree. After all, he didn’t report to Tim. But he knew how important this was. Bill had a keen sense that work like this may become a mainstay for him, and his organization, in the future. This was important. 

Bill replied with a simple, “Yes, I can.”

“Okay, so we have a plan,” Tim said. “Come next Wednesday, Michelle and Bill will have a draft outline of the things we say we are doing and the reality of how we are or are not doing them. To ensure as much clarity as possible, we must keep our scope to the poorly answered MRAs addressed under the MRIA statement in the executive summary.”

Tim looked around the room. Everyone nodded in agreement. A rush of optimism swept the room. It felt like things were finally starting to move.

“Tim, why don’t you, Jada, and I stop by Susan’s office to set expectations?” Carol said, as it was evident the meeting was coming to a close.

“Agreed,” replied Tim. “This MRIA is a ticking time bomb.”

Wednesday, March 30th

Michelle and Bill showed up to the office the next day at their usual time. Bill wandered over to Michelle’s cube around 9:30 am.

“Morning, Bill,” Michelle said.

“Good morning to you as well. So, do you have a recommendation for where we start?”

“Yes, yes I do. I combed through all of my emails and previous research last night. I moved it all to a new folder on the shared drive called ‘MRIA Madness.’ More of an ode to March Madness; less about our own madness.”

Bill chuckled a bit. He thought the title was witty.

“First thing I’ll do today is speak again with each of the people I’ve talked with to generate this research. I started a document called 1 – MRIA Outline. I added the ‘1’ to it so it’s the first document when you open the share drive.”

“Good call,” Bill replied.

“I’ll summarize my findings in this document and link to any other relevant information. My approach is to start with Risk and Audit. I want to trace the process starting with us stating ‘this is what we do.’ I’ve decided to give a single word to these ‘things we do.’ I’m calling them promises. ‘This is what we do’ is a promise we are making to regulators and customers and to each other.”

“That’s actually brilliant, Michelle,” Bill replied. “Putting my Product hat on, that would be a good way to market any change management we need behind this. Controls are very sterile, but promises—well, no one wants to break a promise.”

Michelle smiled, recognizing the compliment. “Sure. Thanks, Bill,” she said. “After I find all these promises, I’m going to trace each one to some type of implementation. We need to see how we commit to keeping these promises we make. It’s basic, but it’s a start. I don’t want to over complicate the discovery process. What do you think of the approach?”

“Ship it,” Bill replied. “How about you and I meet up at 3:00 pm every day? I’ll set aside two hours to analyze your info and help compile the outline. Does that work for you?”

“Sure, works for me!”

This first day seemed to be the longest and shortest day at the same time. Michelle spent every minute hopping around the office. No one was outside her scope of calendar invites and office drop-ins. She was pleased to find that many of the people she talked to were more than willing to help.

During it all, she realized a very important aspect of humanity. People love to talk about themselves, especially when someone is listening to them moan about a problem. Even though Michelle was still fairly junior in her career, she had a natural knack for facilitating unstructured conversation.

For one meeting, Bill joined. He was impressed with how she led the conversation with empathy. She often said things like “I know what you mean. I felt the same way,” or “I can see how that was difficult for you.” Bill on the other hand was visibly annoyed by some of their criticisms, demeanor, and complaints. He was able to keep his mouth shut, but his blood was boiling on the inside.

Michelle noticed. She smiled and thought to herself, For a person who’s mostly listening in, Bill sure looks like he wants to share a few choice words with people. Michelle took a different approach, however. She found endearing ways to cut through the complaining and self-centered attitude of many people. As a result, she was able to elicit facts.

Three o’clock in the afternoon came quickly. It seemed to creep up on Michelle like a bad guy in a horror film. She arrived at Bill’s office. It wasn’t much, really. It was like all the other offices at IUI. It was situated on the outside wall of the floor with windows on two walls and the standard, sterile, corporate-painted sheetrock for the other two walls. There was a tidy desk and a small conference table in the room. It looked like a great spot to work until she realized how hot the office was with the afternoon sun beating down on them through the windows.

Michelle and Bill reviewed all the interviews from that day. It was clear that they had uncovered two big pieces of information. First, they had documented the use of over twenty-four systems, spreadsheets, and documents used to capture the “things we say we are going to do.” Second, their list of interviewees had grown exponentially.

“I know we’ve grown, but wow, you don’t realize how big a small company can get until you try to talk to almost every employee,” Bill said.

“I have no clue what it was like here before, when you old-timers had to walk to work, uphill, both ways, in the snow,” Michelle joked. “But yes, we are big. I’ve now met folks who have worked here longer than I have but I can’t recall ever seeing their faces before.”

“Well, with all that aside,” Bill continued, “I think we can start the document.”

Sitting next to Bill at his office conference table, Michelle opened up her MRIA Outline document and typed the following:

MRIA

Finding/Concern – Inconsistent process, ineffective in ensuring security and compliance, resulting in unauthorized and vulnerable software with significant number of defects being released to production.

Current State – Promises (aka “Controls”)

• Documented software release process
• Documented software testing process
• [Continue here tomorrow]

“Well, that summarizes everything. Although that just seems like too few words for all the jibber-jabbing, complaining, and real facts we uncovered today,” Bill said.

“It’s late and I’m too tired to think about how to include anything else. We have copious notes. If we need to, we can always go back to them,” Michelle responded.

“Touché, touché,” Bill said.

Michelle saved her document and then closed her laptop. It was a couple minutes past five, and she had to get going. Her babysitter got cranky if she had to watch Michelle’s twins later than six o’clock.

“I need to leave. I’ve had enough for the day. Let’s pick this back up tomorrow,” Michelle suggested.

“Agreed,” Bill responded.

Michelle walked back to her cube, grabbed her belongings, and started toward the parking garage. She passed many of the people she’d spoken with earlier. Tossing each one of them a soft smile, she couldn’t help but wonder to herself, IUI has smart and driven people. How could so many things go wrong at a place like this?

Yikes, that was a tense meeting! Will IUI reconcile its internal conflicts and craft a governance reform plan to satisfy regulators? Keep listening in our next episode as Michelle and her team are put to the test. Join us next time for the continuation of the story. The full novel can also be purchased in paperback, ebook, and audiobook format right now at your favorite retailer.

- About The Authors

Helen Beal

Coauthor of Investments Unlimited.

Follow Helen on Social Media

• 
• 

Bill Bensing

Bill Bensing tranforms Shadow IT into legitimate software development organizations. Bill's recent thought-leadership is proving software devliery velocity and highly secure and compliant software are not mutally exclusive. He lives in Tampa Bay, FL, area.

Follow Bill on Social Media

• 
• 

Jason Cox

Director, Global SRE @ Disney | Speaker | Co-Author of Investments Unlimited

Follow Jason on Social Media

• 
• 

Michael Edenzon

Michael Edenzon is a senior IT leader and engineer that modernizes and disrupts the technical landscape for highly-regulated organizations. Michael provides technical design, decisioning, and solutioning across complex verticals and leverages continuous learning practices to drive organizational change. He is a fervent advocate for the developer experience and believes that enablement-focused automation is the key to building compliant software at scale.

Follow Michael on Social Media

• 
• 

Dr. Tapabrata "Topo" Pal

Dr. Tapabrata "Topo" Pal is a thought leader, keynote speaker, evangelist in the areas of DevSecOps, Continuous Delivery, Cloud Computing, Open Source Adoption and Digital Transformation. He is a hands-on developer and Open Source contributor. Topo has been leading and contributing to industry initiatives around automated governance in DevOps practices. Topo resides Richmond, Virginia with his wife and two children.

Follow Dr. Tapabrata "Topo" on Social Media

• 
•