Security management is tricky. It’s not only about technical controls and good software development practice. It’s also about management responsibility.
If you remember TOC ( Theory of Constraints, invented by Dr. Eli Goldratt about 40 years ago) there is only 1 key constraint that limits system (or company) performance to achieve it’s goal.
That’s right boys and girls – it’s the Business unit manager
Consider 3 cases of companies who are developing medical devices and need to achieve FDA Premarket Notification (510k) and/or HIPAA compliance for their product. We will see that there are 3 generic “scenarios” that threaten the project.
A key developer leaves and the management waits until the last minute
In this scenario, the person responsible for the software security and compliance quits. The business unit manager waits until the last minute to replace him and in the end realizes that they need a contractor. External consultants (like us) start wading through reams of documentation, interviewing people and reconstructing an understanding of the systems and scope before we even start our first piece of threat analysis and write our first piece of code.
The mushroom theory of management
In this scenario, there are gobs of unknowns because the executive staff did not, could not or would not reveal all their cards in a particularly risky and complex development project that is not reaching a critical milestone. The business unit manager calls in an outsider to evaluate and/or take over. After 6 weeks – you may sort of think you have most of the cards on the table. But – then again, maybe not. You might get lucky and achieve great progress because the engineers are ignoring the product manager and doing a great job. Miracles sometimes happen but don’t bet on it.
We’re in transition
In scenario 3, a new CEO is brought in after a putsch in the board and things come to a standstill as the executive staff started getting used to the new boss and the line staff start getting used to new directives and the programmers stop wondering if they will still have a job.
Truth be told – only the first scenario is really avoidable. If your executive staff runs things by the mushroom theory of management or you get into management transition mode – basically, anything can happen. And that’s why consultants like us are busy.
