One Size Does Not Fit AH, Redux
Projects and changes to existing systems come in all variety of sizes, shapes, and amount of change. A successful program is easy to adopt when all who are involved acknowledge this variability upfront and clearly. I can’t tell you how many times an IT organization with which I’ve worked, in the name of efficiency, has built their delivery process around the biggest and most complex systems, only to bury innovation and creativity in a landslide of administration and bureaucracy.
There has to be a fast-track for experiments. And these will need a security sandbox in which to play. At the same time, minor changes don’t need to be stultified by documentation requirements. One size definitely does not fit all. In the numerous times that I’ve seen a one-size approach attempted, the result has universally been a horde of exceptions to the process. Exceptions are generally one of the most expensive ways to handle issues.
Don't Issue Edicts Unless Certain of Compliance
Earlier, I related the story of a security architecture and assessment program from the past that had issued the edict, “all changes will be threat modeled.” Much ill will proceeded from that edict, as I noted above.
I avoid mandates, except for the truly essential. Edicts are reserved for what is attainable, such as, “All code will go through static analysis.” Or, “Any substantial change to the architecture requires a review of the threat model.” “Substantive,” of course, is a qualitative term that probably leaves a loophole big enough for an architectural “Mac truck” to be driven through. Still, I’d rather win hearts and minds.
Edicts, unless based on the firm ground of necessity and obtainability, erode trust and support. In addition, if the directive is difficult or impossible to attain, such mandates cause your partners to create strategies of evasion or downright dishonesty, which means that you’ve made rules that people aren’t going to obey and you won’t know about it. I don’t like to turn delivery teams into liars so that they can get their jobs done. Edicts should be avoided.