I just finished reading The Phoenix Project by Gene Kim, Kevin Behr, and George Spafford. And wow, what a great book! It really captures the organizational trends and individual behaviors that screw up software & IT projects. And, better yet, it offers some concrete examples for how to address these issues. The Phoenix Project is a bit like a time machine for me, because it so accurately captures the entire ecosystem of dysfunction at one of my former companies that it could have been based on that organization. I have worked with these people and witnessed those behaviors – but my Brent was a guy named Yudong who was very bright and well-intentioned, but without a clue how to operate. Those weekly emergency hair-on-fire sessions were typically caused by him. Low-quality software and badly managed deployments make productivity go backwards. Worse, repeat failures and lack of reliability create tension and distrust between all the groups in a company, to the point when they become rival factions. Not a pleasant work environment – everyone thinks everyone else is bad at their jobs! The Phoenix Project does a wonderful job of capturing these situations, and why companies fall into these behavioral patterns.
Had this book been written 10 years ago it would have saved a different firm I worked for. A certain CEO who did things like mandate a waterfall development process shorter than the development cycle, commit to features without specifications and forget to tell development, and only allow user features – not scalability, reliability, management, or testing infrastructure improvements – into development might not have failed so spectacularly. Look at blog posts from Facebook and Twitter and Netflix and Google – companies who have succeeded at building products during explosive growth. They don’t talk about fancy UI or customer-centric features – they talk about how to advance their infrastructure while making their jobs easier over the long term. Steady improvement. In some of my previous firms more money went into prototype apps to show off a technology than the technology and supporting infrastructure.
Anyway, as an ex-VP of Engineering & CTO, I like this book a lot and think it would be very helpful for anyone who needs to manage technology or technical people. We all make mistakes, and it is valuable for executive management to have the essential threads of dysfunction exposed this way. When you are in the middle of the soup it is hard to explain why certain actions are disastrous, especially when they come from, say, the CEO. And no, I am not getting paid for this and no, I did not get a free copy of the book. This enthusiastic endorsement is because I think it will help managers avoid some misery. Well, that, and I am enjoying the mental image of the looks on some people’s face when they each receive a highlighted copy anonymously in the mail. Regardless, highly recommended, especially if you manage technology efforts. It might save your bacon!
We have not done the Summary in a couple weeks, so there is a lot of news!
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
Favorite Securosis Posts
- David Mortman: NoSQL Security 2.0 [New Series] updated.
- Adrian Lane: Can’t Unsee. “It was funny … also because it didn’t happen to me.” Sometimes that Rothman guy really cracks me up!
- Mike Rothman: NoSQL Security 2.0 [New Series]. Looking forward to this series from Adrian. I know barely enough database security to be dangerous and it’s a great opportunity for all of us to learn.
Other Securosis Posts
- Incite 4/16/2014: Allergies.
- Understanding Role Based Access Control: Role Lifecycle.
- Responsibly (Heart)Bleeding.
- Firestarter: Three for Five.
- FFIEC’s Rear-View Mirror.
- Understanding Role Based Access Control [New Series].
- Defending Against DDoS: Mitigations.
Favorite Outside Posts
- David Mortman: Security of Things: An Implementers’ Guide to Cyber-Security for Internet of Things. Devices and Beyond! <– a PDF, but read it anyway
- Adrian Lane: Manhattan: real-time, multi-tenant distributed database for Twitter scale. Having just finished the excellent The Phoenix Project, I particularly see success factors in how companies like Twitter, Facebook, and Netflix approach development.
- Gunnar Peterson: The Heartbleed Hit List. They took the time to go through all the major web services to show who is affected. Good reference.
- Mike Rothman: NSS Labs Hits Back at FireEye ‘Untruths’. There was quite a dust-up last week when NSS published their “Breach Detection” tests. FireEye didn’t do very well and responded. And then the war of words began. Here is Channelomics’ perspective.
- Gal Shpantzer: Moving Forward. I think this will be my FS link every week.
- Dave Lewis: Security on-call nightmares.
- Pepper: * iptables rules to block all heartbeat queries
Research Reports and Presentations
- Reducing Attack Surface with Application Control.
- Leveraging Threat Intelligence in Security Monitoring.
- The Future of Security: The Trends and Technologies Transforming Security.
- Security Analytics with Big Data.
- Security Management 2.5: Replacing Your SIEM Yet?
- Defending Data on iOS 7.
- Eliminate Surprises with Security Assurance and Testing.
- What CISOs Need to Know about Cloud Computing.
- Defending Against Application Denial of Service Attacks.
- Executive Guide to Pragmatic Network Security Management.
Top News and Posts
- Heartbleed Update (v3) via @CISOAndy
- DuckDuckGo is the Anonymous Alternative to Google
- What Edward Snowden Used to Evade the NSA
- FBI warns businesses of VC IP scams. Soon to be a movie snort.
- Aereo Streaming-TV Service Wins Big Ruling Against Broadcasters
- Staying ahead of OpenSSL vulnerabilities
- Don’t Shoot The Messenger
- One of World’s Largest Websites Hacked
- Brendan Eich Steps Down as Mozilla CEO. A series of strange decisions at Mozilla make you wonder what’s up over there.
- Companies track more than credit scores
- Whitehat Security’s Aviator browser is coming to Windows
Blog Comment of the Week
This week’s best comment goes to Marco Tietz, in response to Responsibly (Heart)Bleeding.
Agreed. a bit of bumpy road pre-disclosure (why only a few groups etc pp, you guys covered that in the firestarter), but responsible handling from akamai along the way. maybe I’m too optimistic but it seems to be happening more often than it used to.