In the vein of bestselling titles The Phoenix Project and The Unicorn Project, Investments Unlimited will help organizations radically rethink how they handle audit, compliance, and security for their software systems. By introducing concepts, tools, and ideas to reimagine governance, this book will catalyze a more humane way to enable high-velocity software delivery that inspires trust and is inherently more secure. Read Part 1 of our exclusive excerpt here.
“Okay everyone, let’s do this!” Tim announced. He was standing at the front of a conference room crammed with VPs and SVPs. He had been in meetings like this many times before. Everyone was here to defend their territory, to just say they were part of it, or to sit back, listen, and then complain later.
Tim looked around the room. Carol, the VP of Engineering Digital Banking, was seated right across from him, and Bill was seated across from Jada. Each of the political nemeses were now face to face without Susan refereeing.
Let the melee begin, he thought, was tamping down his feigned enthusiasm.
“Carol, let’s get you up to speed,” Tim began. “Jada, Bill, Jennifer, and I met with Susan earlier today regarding the MRIA we received. Has Jennifer filled you in on the conversation?”
“Yes, yes, Jennifer and I met earlier, and she gave me the rundown. If I understand it correctly, we shot ourselves in the foot by not responding adequately to these MRAs over the past twelve months. I think it was something like fifteen MRAs that either we didn’t respond to or our response was sub par?” Carol shared.
“That’s right,” Tim responded. “Today’s agenda is simple. We must compile a list of the findings. We will then review this list with Susan and our progress on addressing the actions in the weekly huddles with her and, likely, an external audit team, until we submit our response to the regulators in three months.”
Bill quickly interrupted. “What do we do about the big release? Our teams have been working on Project Prisma for the last few quarters. We can’t cancel that.”
“Really? What do we do when we’re shut down?” Jada shot back.
“Obviously we need to keep the business running while addressing the MRIA,” Tim jumped in, hoping to quell yet another fight between Product and Risk.
“Let’s take a step back. What kept us from addressing these issues right up front? Why haven’t we responded to the MRAs sufficiently? What’s the bottleneck?”
Bill furrowed his brow. “Are we talking about the MRIA or the MRAs? I’m totally confused now.”
“If we had responded to the MRAs in time and adequately, we wouldn’t have the MRIA.” Tim sounded a little exasperated.
“Well, we did push back on several of these MRA findings,” Carol spoke up. “We asked questions on the ones that don’t make sense or don’t apply. But we got radio silence. Zero response!” She turned to Jada. “We get no help from the Risk or Audit teams.”
Jada looked puzzled.
Carol looked back at Tim. “See?! That’s the problem. We not only have to manage our engineering projects but we have to shepherd all this paperwork to get stuff done here. I don’t have enough people to do that. And it sure isn’t in our backlogs.”
“Yes, yes, I get it!” snapped Tim. “I understand the bickering, but that isn’t helping right now. We are here today to identify the issues raised in MRAs that led to this MRIA and then report back to Susan.” Tim felt like a broken record.
Carol sighed. “It always falls to Engineering to fix everything. I won’t have all the blame game going against my developers. Engineering is about building things, building bridges across seemingly impossible problems and arriving at new destinations. I know some people here have little appreciation for the role, but there are great rewards in seeing good outcomes.
“I’m inviting Michelle, one of my senior staff engineers, to this meeting,” Carol announced. “She has historically raised compliance concerns, and she’ll be an asset to this conversation.” Carol turned to her phone and typed a message on the inter-
office chat system.
“It’s terrifying that Engineering and Product have no clue how to manage risk,” Jada said, warming up her artillery.
“Isn’t that your job?” Bill responded with a smug smile.
“Ugh.” Tim sat down. It looked as though he had given up on refereeing the meeting. The conversation went on like this for several more minutes, a constant stream of back and forth, not one of the prize-fighters addressing the single action for the meeting that Tim had laid out.
“Okay, we aren’t getting anywhere,” Tim said loudly, raising his arms to quell the discussion that had risen several octaves in the last five minutes alone. “So much complaining,” he stated, as if he epitomized a glass house. “You all are starting to sound like my kids fighting each other when I tell them to clean their room. I’m always amazed at the big mess they create while trying to clean up the small mess. Truth is, it’s simply because they spite each other rather than work together.”
Michelle arrived like a whirlwind and the room went silent. Her arms were full of a laptop, tablet, paper notebook, and pen. She sat down next to Carol and hastily arranged her stuff on the table. Her long black hair was pulled back into a ponytail and her eyes were bright. She looked poised for action and clearly had something to say.
Carol introduced her to the room, most of whom had never met or worked with her directly. “Michelle is one of my best engineers, despite the fact that she’s been at IUI the shortest of anyone else in this room. But there’s no doubt in my mind that she needs to be here. Since Michelle joined IUI from a smaller company, she’s brought with her a youthful energy and knowledge of the latest ways of working. She doesn’t shrink from expressing her opinions, even to senior leadership.” Carol looked pointedly around the room. “She’s a change agent. And that’s exactly why Jason had recommended her for the job, and why we need her to help with this mess.”
“But does she have the necessary experience . . .” Jada began.
“After she joined IUI as a junior engineer, Michelle soon took on the mantle of security liaison for the entire Engineering team,” Carol interrupted. “She’s worked with Tim’s group conducting code reviews of applications all across IUI. And she’s been responsible for answering questions that come up during PCI DSS compliance reviews. She even coauthored the annual state of security report.”
“Okay, okay,” Jada said. “Sounds like she’s a good person to help us out. Let’s hear what she has to say.”
“I knew this was going to happen,” Michelle said firmly and succinctly. “I sent out a memo months ago warning everyone about this exact scenario, but everyone was too busy to pay attention? Well, here we are. I told you that our manual, one-size-fits-all security review with IUI’s large portfolio of applications was a disaster waiting to happen. Our software development life cycle risk reduction practices are just too immature. And on top of that, we’ve been ignoring the findings from our own Audit team.”
Bill snapped in response. “If Security and Audit would get us a unified set of requirements and work with us to comply without slowing us down so much, we’d be in a better place.” Bill’s frustration was evident in his voice and on his face. “We’re constantly balancing competing requirements for the IUI portfolio. What we need to be doing is delivering value to our customers. You try doing that while juggling competing priorities from the business.”
“Bill, not to be too much of a punk, but I do that. Me! It all rolls downhill, and guess who has two thumbs and is at the bottom? This person,” Michelle said, her thumbs pointing at her face as she stood up for herself. Carol smirked.
A short, tense pause was felt in the room. “Audit doesn’t have requirements,” Jada broke in. “Audit’s role is simple. We look at the controls, what IUI says it should do to manage risk, and compare it to what we actually do. Audit doesn’t make the rules—heck, they don’t even recommend controls. Audit answers the question: Is IUI doing what they say they should be doing?”
“That’s not true. This time last year I remember getting a long list of ‘thou shalts’ from Audit. It’s like you all intentionally keep the details to yourself and then slap our hands when we don’t read your minds!” Bill shot back. “If I can’t get requirements from you, then where do we get them from?”
Tim quickly interrupted, “Jada, Bill . . . hold those thoughts. We’re supposed to report to Susan on the MRIA. We need this exact conversation but not right now.”
Michelle quickly followed up. “I suggest we break down the audit finding into stages and then try to understand what technology and process improvements need to be applied.” She opened her laptop to begin reading the summary of the findings.
“Michelle, I appreciate the enthusiasm, but let’s take this up a level,” Tim replied. “The MRIA has summarized all the previous findings. It states here in the Executive Summary: Inconsistent process, ineffective in ensuring security and compliance, resulting in unauthorized and vulnerable software with significant number of defects being released to production.”
“That tells us nothing!” Michelle stated passionately. “Inconsistent process? Well, hashtag-facepalm, duh. This is only telling us what we already know.” Frantically scrolling through the report on her screen, Michelle followed up with, “Where in here do they tell us specifically what we need to fix?”
“They don’t and they won’t,” replied Jada. “That report only tells us what we already know: we aren’t following our own processes, and our processes may be missing something. It’s our job to respond with what we will do to address that concern. Where are the teams storing their processes these days? The Risk organization stores all its information and tracking details in our GRC system.”
Just mentioning the Governance, Risk, and Compliance system caused an audible groan in the room. Jada didn’t even pretend to be shocked. Her own teams even complained about the GRC system and its impossible user interface.
“Engineering teams document their processes in markdown and source control them in our Git repositories. The same area where we store code,” Michelle responded.
“Security is supposed to capture info and store it in the knowledge management module of our internal service system,” Tim added.
“Product tracks all of its requirements in our ticketing system,” Bill said.
“Four organizations and four different places to store information. That seems like a red flag,” Carol said. “Michelle, how do the engineers use each of these systems?”
“Engineering takes its marching orders from the ticketing system the Product team uses. We live our lives in that system. In general, no one in engineering knows about the GRC system. Nor do they care. I only know about it by researching compliance issues we had with a release a couple quarters ago. As for the knowledge management system, well . . . ” A sudden pause filled the room, then Michelle continued. “We know about it, and most of us have access. Although we don’t use it. Most of the information is incomplete, out of date, or inaccurate. If we have a security issue or question, we back channel it. If we can’t back channel it, we consider it a good old college try, then move on. Our best security advice mostly comes from internet searches.”
Tim barely managed to keep a straight face as he heard Michelle’s last comment.
Carol said, “If you’re the most in-the-know person, and this is how you operate, this looks like something we need to consider. How can we ever do what we say we are doing if we can’t figure out where to go to do the things we need to do?”
“I swear I read that same sentence in a Dr. Suess book before,” Bill quipped.
“Our response to Susan is becoming a bit clearer now,” Tim interjected. Everyone turned their heads toward him, all with confused expressions. “We can’t tell her what’s wrong when we collectively don’t know specifically what the issue is. All we know is, somehow, someway, the full process is broken. Bits and pieces may work in silos, but it doesn’t work as a full system, and I’m broadly speaking when I use the word ‘system.’”
“Then what should our response be?” Jada asked everyone around the table.
“I have an idea,” Tim said, regaining control of the conversation. “Michelle has the best grasp on how things operate. She has proven she’s able to work across all of our areas.” He looked at Michelle. “Michelle, how long would it take you to dig deeper, read the specific MRAs, and come up with a current state and the basis of a proposal for a future state?”
Feeling a bit under the gun, Michelle responded, “Are you asking me to figure out how to respond to the MRIA?”
“No, not at all,” Tim replied. “Think of it as an outline with a sole focus on listing the specific issues. We’ll collectively build a response, but first, and to your point earlier, we need specifics.”
“Okay, sure. What’s the timeline?” Michelle asked.
“Today is Tuesday, and the weekly huddle is every Thursday,” Tim said.
“Well, we won’t have the details this Thursday. I don’t think that any quality research can be done with what remains of today and tomorrow.”
“Yes, I agree,” Tim interrupted. “Let’s meet next Wednesday, same time and place. That gives you a week. Remember, we aren’t looking for solutions right now; we’re simply looking for an outline. The best outline would be based upon, and I’ll restate what Jada said earlier, what we say we should be doing and what we are, or are not, doing.”
All eyes were on Michelle. She sat there deep in thought. She didn’t appear to be under pressure. Rather, she appeared to contemplate if the time was satisfactory for the required research. A few seconds passed as if they were ten long minutes.
“Carol, Bill, I need to offload some work to the team today. To make this happen, this needs to be my only focus. I have enough research so far that I’m confident I can have an outline by next Wednesday if I’m not also trying to do other work.”
“Okay, good. Remember, while you’re accountable for this, you don’t have to be the only person to actually do the work. Bill, can you assist Michelle?” Tim asked.
Bill looked bewildered. His organization’s backlogs were so backed up that each backlog had a backlog item to review the backlog! He had his own process issues to figure out with Marketing, Sales, and Finance. But Bill knew this was not a question but a political “volun-told” situation. He didn’t have to agree. After all, he didn’t report to Tim. But he knew how important this was. Bill had a keen sense that work like this may become a mainstay for him, and his organization, in the future. This was important.
Bill replied with a simple, “Yes, I can.”
“Okay, so we have a plan,” Tim said. “Come next Wednesday, Michelle and Bill will have a draft outline of the things we say we are doing and the reality of how we are or are not doing them. To ensure as much clarity as possible, we must keep our scope to the poorly answered MRAs addressed under the MRIA statement in the executive summary.”
Tim looked around the room. Everyone nodded in agreement. A rush of optimism swept the room. It felt like things were finally starting to move.
“Tim, why don’t you, Jada, and I stop by Susan’s office to set expectations?” Carol said, as it was evident the meeting was coming to a close.
“Agreed,” replied Tim. “This MRIA is a ticking time bomb.”
Read more in the upcoming book Investments Unlimited: A Novel about DevOps, Security, Audit Compliance, and Thriving in the Digital Age by Helen Beal, Bill Bensing, Jason Cox, Michael Edenzon, Tapabrata Pal, Caleb Queern, John Rzeszotarski, Andres Vega, and John Willis. Coming to a book store near you September 13, 2022.