This might be an unpopular opinion, but software engineering is wasteful and undisciplined compared to other industries like security. Google’s CEO can have confidence in their low-level firewall settings, but what about their day-to-day engineering practices?
The security industry has solved this best-practice control problem, but engineering hasn’t caught on yet. This creates a huge opportunity for companies who figure it out to run circles around their competitors
* Why is security more disciplined? *
Well, security teams can’t afford otherwise. The cost of an incident is huge, and it only takes a few small mistakes to let in a hacker.
In software engineering, mistakes lead to death by a thousand cuts. When you lose market share, it’s impossible to trace it back to one source, which makes individual mistakes easier to hide and downplay.
* How do security teams prevent mistakes? *
Or, the better question is: how can Google’s CEO actually be confident in their low-level firewall settings?
The answer is hierarchical recurring controls.
This is a fancy way of saying that they have a process for changing firewall rules. Then, they audit that process to make sure it is running effectively, audit the audit, audit that audit, and so on. Eventually, there is a top-level leadership review of the entire security program.
This is how you manage important details at scale.
* What should software engineering teams do? *
Things really turned a corner at my former company Collage when we introduced a centralized and hierarchical recurring control structure for engineering.
It doesn’t have to be anything fancy (ours was a spreadsheet), but you essentially need a list of review activities with frequencies, and another list with instances of those activities so you can see when they should happen and view the results.
Read the rest including a list of suggested review activities for software companies here: https://lnkd.in/evuduW-9