Per aspera ad astra

A word on perspectives:

The concepts on this page, are several I have found useful in a realm of hundreds of models. I have borrowed from these, to give businesses and IT/Cybersecurity departments outlooks on how they are doing things right and how they can benefit from adjustments. This can be hard work requiring perseverance. If you can build these kinds of perspectives into the culture of the business, it will create an immune system, of sorts, to infuse productivity into the entire system.  If you are stuck in a rut, outside parties can often have great effect in lending reason for re-organization of flows to avoid entropy. 

The process of constant reevaluation is key to making the systems resilient. As a long-time rock climber, rock + gravity + the movement of the ascent create a friction that inevitably = calluses. To make progress in climbing you need to reevaluate your technique and approach… and even your calluses.  There is a point where the calluses, from getting too thick, will rip off. To avoid this rock climbers will often sand down the calluses to make sure they are not impeding their climbing. This is much like ingrained processes. Even with the best intentions, if you don’t take the time to work on the processes, the callus could rip and create pain for the business. It is important to prioritize efficiency evaluations of processes for them to remain valuable.

NIST Cyber Security Framework - 5 Domains Applied to IT Leaders

IDENTIFY

Business: This domain translate in to inventorying the fundamental workflows and components for the business to achieve profit, security and productivity. This can be a daunting task but it is a required piece to keeping your role relevant at any business.

Information Security:

  • Asset Management

  • Business Environment

  • Governance

  • Risk Assessment

  • Risk Strategy

DETECT

Business: As inventory takes place, in this domain, the technology/security problems and bottlenecks impeding the system from functioning at full capacity can be found.

Information Security:

  • Event and Anomaly Monitoring

  • Detection Processes

  • Monitoring technologies

PROTECT

Business: Protection means securing the businesses priorities, goals and deadlines, by managing unplanned work. With mapping the business’ flows, work estimates can be more accurate and work, as a result, will be more efficient.

Information Security:

  • ID Management

  • Awareness Training

  • Data Security

  • Data Loss/Leak Process (Classification, Custodianship)

  • Operations/Maintenance

  • Monitoring technologies

RESPOND

Business: In the context of business, respond means adjusting priorities when needed. Planning and communicating risks appropriately is key to any successful program. This can only be done properly if the fundamentals are addressed.

Information Security:

  • Response Planning

  • Communication Strategy

  • Incident Impact Analisys

  • Mitigation

  • Improvements in Incident Handling

RECOVER

Business: Learning from failures is one of the most important parts of succeeding. Conducting lessons learned, putting processes through their paces so that they accomplish the goals sought.

Information Security:

  • Recovery Planning

  • Risk Integration

  • BCP/DR

  • Communications Planning After Incident (Internal/External)

  • Communication During Recovery (Internal/External)

The 3 Ways (DevOps)

The 1st Way: Flow/Systems Thinking

  • Understanding the system

  • Removing bottlenecks

  • Never passing the problem down when it can be fixed in the current work area

  • Always moving the work forward

This way is mostly about having a holistic disciplined way of managing work. It starts with understanding the flow of work.

In large firms this is often lost to process or strategy owners. In these businesses, I would argue, understanding critical flows is even more important. Finding out the hindrances in the work and adjusting process to compensate, benefits the business. Once the bottlenecks are found it is incredible important to integrate fixes iteratively, to get to the final destination efficiently.

Work to understand and improve process should dominate 20% of a teams work.

Patching is a part of fundamental IT work. To keep up with vulnerabilities, any firm must keep up with updated versions of software. To this end automating this task could take a teams productivity from patching all servers manually to scheduling a task

The 2nd Way: Amplifying Feedback

  • Perpetual process improvement

  • Prompting feedback at all intervals

Understanding executives needs and pains is key to finding out sources of friction and possible misunderstandings. It is important to note that every strategy, and every business has a profound link to technology. Even if the executives don’t understand their link to tech it is important to find the direct correlation. “What does a day in the life look like for a Chief of …” Building rapport and trust makes feedback maybe more thorough and useful.

During one meeting the sales executive told me that IT was terrible. After some more questions I found out, just from that one conversation, it was clear that a managed services model was causing all the stress. Timely service was a thing of fantasy for this firm. Sales people are often the sole path for new business and the relationships for existing. They need to be able to be heard and supported properly. This was really an easy fix (mostly) but all it took was asking. It is best to make this type of open feedback a regular occurrence.

The 3rd Way: Experimenting and Learning

  • Taking risks

  • Rewarding failure

  • Trying new things

This is fundamental to personal and team growth in IT. This is what makes great engineers great. This is all about failure. Understanding failure as a construct for success. Trying things outside of our comfort zone. Not doing it because “this is how we have always done it.”

This is where massive improvements in efficiency can be found. This is where real profits can be made. This is always where you learn the most.

Google early on instituted a process, that workers would get one day per week to do just this. Work on whatever they wanted. Experimenting with new processes and experimenting with technology.

SBOSD

Fundamental disciplines and a no non-sense approach are crucial to successful IT Operations. This is a priority 1 framework that can help an infrastructure department get back to the basics of supporting and maintaining an environment properly.

  • Is the technology up or down? Does its criticality demand more resiliency or HA?

  • Is it backed up to the data classifications specification? Is there sufficient granularity? Is the archiving policy right? Is configuration management required? What RTO RPO does this application/technology require?

  • Is the technology sufficiently monitored? Are the alerts going to the right people? Are escalations required? Are maintenance routines maintained and monitored?

  • Is this application/process/server secured? Does it need to be encrypted (at rest, in transit, by block, by field)? What DLP policies need to be applied? Is it sufficiently firewalled? Are non-critical services running on this box? What malware protection is in place?

  • Where is this tech physicaly located? Who owns the application? What data does it access? Is it integrated? Is the tech documented, so if someone had to troubleshoot it they would be able to? Have the users been trained in it?

National Institute of Standards and Technology (Ed.). (2022, September 21). Cybersecurity framework. NIST. Retrieved October 3, 2022, from https://www.nist.gov/cyberframework

Kim, G. (2021, February 11). The three ways: The principles underpinning devops. IT Revolution. Retrieved October 3, 2022, from https://itrevolution.com/the-three-ways-principles-underpinning-devops/