Épisodes

  • Safety vs. Security: Why Words Matter with Sounil Yu
    Apr 26 2024
    Summary

    Sounil Yu, author of Cyber Defense Matrix, discusses the importance of terminology in cybersecurity and the distinction between safety and security. He explains how the Cyber Defense Matrix helps organize and identify gaps in security capabilities. He also introduces the concept of the D.I.E. Triad (distributed, immutable, ephemeral) and how it can reduce the impact of liabilities in cybersecurity. The conversation highlights the need to redefine the economic equation of cybersecurity from a cost to an investment. The talk explores the concepts of cyber safety and cybersecurity and how they relate to risk management and defense strategies. The guests discuss the importance of having necessary defenses in place, even for smaller businesses that may not be direct targets. They also delve into the three-line model and how it aligns with the cyber defense matrix. The matrix is a valuable tool for understanding the full scope of cybersecurity and making risk-based decisions. The conversation emphasizes the need for a common language and understanding between tech and audit professionals.

    Takeaways
    • Terminology is crucial in cybersecurity to ensure clear communication and understanding.
    • The Cyber Defense Matrix helps organize and identify gaps in security capabilities.
    • The D.I.E. triad (distributed, immutable, ephemeral) can reduce the impact of liabilities in cybersecurity.
    • Redefining the economic equation of cybersecurity from a cost to an investment is essential. Having necessary defenses in place is vital for all organizations, regardless of their size or direct targeting.
    • The cyber defense matrix is a helpful tool for understanding the full scope of cybersecurity and making risk-based decisions.
    • Common language and understanding between tech and audit professionals are crucial for effective communication and collaboration.
    • Risk tolerance and appetite should clearly articulate and align with the organization's goals and resources.
    • The cyber defense matrix can be used as an assurance map to identify controls and risk coverage gaps.

    Chapters


    00:00 Introduction and Background

    06:18 The D.I.E. Triad

    14:13 The Importance of Terminology

    26:40 Risk Tolerance and Risk Appetite

    35:07 The Role of Language and Common Understanding

    Afficher plus Afficher moins
    45 min
  • Policy as Code: An Audit-Tech Peacekeeper with Mike Leuzinger and Andy Kolenko
    Apr 20 2024
    Summary

    In this episode, Mike Leuzinger and Andy Kolenko discuss policy as code from a technology and audit perspective. Policy as code extends infrastructure as code, allowing organizations to automate and manage policies across multiple technology stacks. It can enable continuous compliance, self-service for auditors, and more robust controls through automation. However, challenges include dealing with heterogeneity and the complexity of new technologies. Bridging the gap between technologists and auditors is crucial for successful implementation. The conversation explores the challenges and benefits of implementing policy as code in an organization. Mike, Andy, Clariss, and Bill discuss the complexity of keeping up with proprietary schemas and controls and the importance of relying on vendors and industry standards. They also touch on the responsibility of setting and managing Policy as Code, highlighting the industry's lack of established processes and ownership. The conversation emphasizes the need for collaboration between auditors and technology partners and the importance of staying updated on compliance guidance and leveraging tools like Open Policy Agent and the AWS Well-Architected Framework.

    Takeaways


    • Policy as code extends infrastructure as code, enabling organizations to automate and manage policies across multiple technology stacks.
    • Policy as code enables continuous auditing and monitoring, providing more continuous assurance to stakeholders.
    • Self-service for auditors reduces miscommunication and allows them to obtain the necessary evidence without relying on clients.
    • Policy as code strengthens controls through automation, preventing security vulnerabilities from going into production.
    • Challenges of policy as code include dealing with heterogeneity and the complexity of new technologies.
    • Bridging the gap between technologists and auditors is crucial for successfully implementing policy as code. Keeping up with proprietary schemas and controls remains challenging, and organizations should rely on vendors and industry standards to stay ahead.
    • The responsibility for setting and managing Policy as Code is still unclear, and there is a need for more established processes and ownership.
    • Collaboration between auditors and technology partners is crucial for the successful implementation of Policy as Code.

    Afficher plus Afficher moins
    41 min
  • Harvesting Harmony: John Deere's IT & Audit Jamboree
    Jan 27 2024

    In this episode, Lynn, Roberto, & Matt from John Deere discuss their digital transformation journey and its impact on IT and Internal Audit. They highlight the importance of agility in internal audit and how it helped prioritize work and enhance relationships with stakeholders. The team also shares the challenges they faced during the transformation and the strategies they used to overcome them. Additionally, they discuss the concept of defining deployable and its role in bridging the gap between technology and audit. The conversation explores the partnership between audit and other departments, the importance of metrics and measuring outcomes, applying software engineering principles to audit, and advice for implementing Agile in audit.

    Takeaways
    • Digital transformation requires agility in internal audit to prioritize work and enhance stakeholder relationships.
    • Challenges during the transformation can be overcome through continuous improvement and a focus on cultural change.
    • Defining deployable is crucial in bridging the gap between technology and audit.
    • Psychological safety and modeling behaviors are vital to creating a culture of trust and innovation.
    • Partnerships between audit and other departments are crucial for automation and improving audit processes.
    • Metrics should focus on measuring outcomes rather than just activities.
    • Applying software engineering principles to audits can improve efficiency and effectiveness.
    • When implementing Agile in audit, start small, adapt, build relationships, and disrupt with precision.

    Afficher plus Afficher moins
    58 min
  • Mythbusting Agility: Agile, DevOps, and Lean Across Disciplines
    Jan 11 2024

    In this episode, Clarissa & Bill promise to open up new avenues of thought! Agile, Lean, and DevOps – you've probably heard these terms thrown around in software development circles. But what if we told you these methodologies are not confined to the digital realm? Join us as we shatter this age-old myth with our guests, Robin Yeman and Suzette Johnson.

    Our daring duo takes us on a rollercoaster ride of their experiences, applying Agile, Lean, and DevOps in areas you'd least expect. They're not just sharing theories; they're bringing you real-life stories of implementing these dynamic practices in places ranging from auditing to operations. This episode is a treasure trove of tales and tips, perfect for anyone skeptical about mentioning 'Agile' outside the IT department.

    In this insightful conversation, Robin and Suzette delve into the application of engineering principles to cyber-physical systems and stress the importance of considering constraints in the design process. They talk about the need for multiple planning horizons – a strategy that ensures predictable delivery while allowing the flexibility to adjust scope and resources based on empirical data.


    Our guests share their journey in overcoming challenges and achieving success with new working methods. They highlight the importance of aligning on a common language and building internal support, which is essential to any transformation. Plus, they explore the concept of 'crossing the chasm', underscoring the necessity for continuous improvement in an ever-evolving digital landscape.


    This episode is not just about changing how you work; it's about a paradigm shift in approaching technology governance and innovation. Let's dive in!


    • Read the book "Industrial DevOps" - https://itrevolution.com/product/industrial-devops-book/
    • Follow Robin Yeman on Linkedin - https://www.linkedin.com/in/robinyeman/
    • Follow Dr. Suzette Johnson on LinkedIn - https://www.linkedin.com/in/dr-suzette-johnson-984bb14/


    Takeaways


    • Applying engineering principles to cyber-physical systems involves considering constraints and designing with the end in mind.
    • Multiple horizons of planning are essential for predictable delivery and the ability to adjust scope and resources based on empirical data.
    • Agile, lean, and DevOps principles can be effectively applied beyond software development, including in areas like hardware and manufacturing.
    • Security and auditing need to be integrated early in the agile development process.
    • Overcoming challenges and finding success with new ways of working requires aligning on a common language and building internal support.
    • Crossing the chasm involves building a full product offering and providing evidence of success to gain wider adoption.
    • Continuous improvement and a growth mindset are crucial in an ever-evolving digital landscape.
    • Understanding and integrating constraints from the beginning is crucial for successful system development.
    • Bridging the gap between software and hardware is essential in cyber-physical systems.
    • Continuous improvement and innovation are necessary to keep pace with evolving industry trends.


    Chapters


    • 00:01:06 - Episode Introduction
    • 00:02:44 - Robin & Suzette Introductions
    • 00:04:38 - Discussion on Systems Engineering and Agile Approaches
    • 00:07:19 - Industrial DevOps and Cyber-Physical Systems
    • 00:11:49 - The Role of...
    Afficher plus Afficher moins
    40 min
  • Coffee Clatch For A Better Batch with Jeffrey Fredrick
    Dec 15 2023

    In this conversation, Bill and Clarissa discuss the importance of effective conversations with “Agile Conversations” co-author Jeffrey Frederick. Overall, the episode emphasizes the power of conversations in reducing unnecessary pain and improving collaboration in various domains. They explore the concept of Taylorism and its impact on management philosophies, highlighting the need for a more human-centered approach. The conversation also touches on the biases present in traditional auditing processes and the importance of recognizing and overcoming them. In this episode, Jeffrey Fredrick discusses the importance of effective conversations in auditing and other professional contexts. He emphasizes the need for alignment and shared understanding in conversations, especially when auditors and clients have different perspectives. Jeffrey introduces the concept of the Four Rs (Record, Reflect, Revise, Role Play) as a tool for improving conversational skills. He explains each step of the Four Rs and highlights the importance of genuine curiosity and transparency in conversations. Jeffrey also discusses the ladder of inference and how it can help auditors and clients overcome challenges related to understanding each other's businesses. He concludes by emphasizing the need for practice and continuous improvement in conversational skills.

    • Read the book “Agile Conversations” at https://itrevolution.com/product/agile-conversations/
    • Learn more about Agile Conversations at https://www.agileconversations.com
    • Check out Jeffrey’s Podcast “Troubleshooting Agile” at https://agileconversations.com/troubleshooting-agile-podcast/
    • Explore CITCON (Continuous Integration Conference) at https://citconf.com
    • Follow Jeffrey on LinkedIn at https://www.linkedin.com/in/jfredrick
    • Follow Jeffrey on X (Twitter) at https://twitter.com/jtf

    Takeaways
    • Effective conversations are essential in Agile and DevOps practices.
    • Recognizing and overcoming biases is crucial in auditing and other domains.
    • Conversations can help reduce unnecessary pain and improve collaboration. Effective conversations require alignment and shared understanding.
    • The Four Rs (Record, Reflect, Revise, Role Play) can improve conversational skills.
    • Genuine curiosity and transparency are essential in conversations.
    • The ladder of inference can help auditors and clients understand each other's businesses.


    Chapters


    • 00:00 Introductions
    • 07:36 Taylorism and Modern Management
    • 12:41 Reducing Suffering and Unnecessary Pain
    • 16:13 The Negative and Positive Aspects of Taylorism
    • 21:26 Spotting Taylorism and the Need for Change
    • 24:47 Conversations as a Tool to Overcome Biases
    • 27:18 Misalignment in Auditing
    • 25:36 The Four Rs
    • 29:20 Using the Four Rs in Conversations
    • 31:46 The Record Step
    • 33:14 The Reflect Step
    • 25:07 The Revise Step
    • 36:02 The Role Play Step
    • 39:28 Leveraging Conversational Concepts in Auditing
    • 44:24 Practice and Skills Gap

    Afficher plus Afficher moins
    49 min
  • How We Automated Governance with Robert Kelly
    Dec 7 2023

    Clarrissa, Bill, and Robert Kelly discuss implementing automated governance systems in highly regulated organizations in this conversation. They explore the challenges of working with internal auditors and the importance of bringing auditors to the table early in the process. They emphasize the need for a culture shift and a change in mindset to ensure that automated governance solutions are integrated with internal audit processes. The conversation highlights the value of auditors in reducing risk and accelerating software delivery. Overall, the discussion provides insights into the implementation and benefits of automated governance systems. The conversation explores the integration of technologists and internal audits through automated governance. It discusses the challenges faced in bridging the gap between these two teams and the benefits of early collaboration. The concept of continuous compliance is examined, focusing on shifting towards real-time assurance. The conversation concludes with three key takeaways: the success of automated governance in various industries, the importance of bringing auditors in early, and the need to view compliance as an assurance process.

    Takeaways
    • Implementing automated governance systems in highly regulated organizations requires a culture shift and a change in mindset.
    • Bringing auditors to the table early in the process is crucial for ensuring the success and integration of automated governance solutions.
    • Automated governance solutions should focus on reducing risk and accelerating software delivery.
    • Building trust and collaboration between IT teams and auditors is essential for effective automated governance.

    Chapters


    • 00:00 - Introduction and Background
    • 04:25 - Building the Automated Governance System
    • 06:39 - The Problem Automated Governance Solves
    • 09:40 - Challenges in Implementing Automated Governance
    • 11:11 - Working with Internal Auditing
    • 14:41 - Bringing Auditors to the Table
    • 19:48 - Selling and Marketing the Automated Governance Solution
    • 22:36 - The Value of Auditors in the Process
    • 26:26 - Changing the Conversation with Auditors
    • 27:29 - Bringing Technologists and Internal Audit Together
    • 33:56 - Solving Audit Problems with Automated Governance
    • 38:30 - The Ideal Audit Experience with Automated Governance
    • 40:23 - Continuous Compliance vs. Real-Time Assurance
    • 44:53 - Lessons Learned and Takeaways

    Afficher plus Afficher moins
    49 min
  • Developer Productivity Engineering (DPE), Audit, and GRC with Justin Reock
    Nov 30 2023

    Clarissa Lucas and Bill Bensing interview Justin Reock about Developer Productivity Engineering (DPE) and its role in auditing and governance. They discuss the importance of measuring engineering productivity, observing the value stream, and identifying bottlenecks and impediments to productivity. They also explore the concept of proactive risk management and the need for partnership between developers and auditors. The conversation highlights the challenges of breaking silos and the potential for DPE to reduce developer toil and improve overall software quality. They conclude by reframing auditing as a way to fight cyber criminals and protect against exploitation. The conversation explores the intersection of auditing, governance, risk, and compliance (GRC) with the tech industry. It highlights the need for empathy, partnership, and bridging the gap between developers and auditors. The toxic mentality in the tech industry is also discussed.

    Follow Justin:

    • LinkedIn - https://www.linkedin.com/in/justinreock/
    • X (Twitter) - https://twitter.com/jreock

    Takeaways
    • Developer Productivity Engineering (DPE) focuses on measuring engineering productivity and addressing pain points in the software development process.
    • DPE involves observing the value stream, identifying bottlenecks, and applying technology solutions to improve developer productivity.
    • Proactive risk management is an important aspect of DPE, allowing organizations to prevent issues before they become problems.
    • Partnership between developers and auditors is crucial for effective DPE, breaking down silos and leveraging each other's expertise.
    • Reframing auditing as fighting cyber criminals can help developers see the value of auditing and governance in protecting against exploitation. There are commonalities and opportunities for collaboration between the auditing/GRC and tech industries.
    • Empathy, vulnerability, and partnership are essential for effective auditing and GRC.
    • Developers can bridge the gap with auditors by framing conversations as part of a fuller responsibility and recognizing the limitations of software solutions.
    • The tech industry should overcome the toxic mentality of thinking they can solve every problem and instead embrace teamwork and collaboration.

    Chapters
    • 00:00 Introduction and Overview
    • 01:16 Developer Productivity Engineering (DPE)
    • 03:23 Developer Productivity Engineering (DPE) and Governance and the Value Stream
    • 04:49 The Importance of the Build System
    • 05:42 Developer Productivity Engineering (DPE) and Governance
    • 07:49 Proactive Risk Management
    • 09:03 Partnership between Developers and Auditors
    • 09:56 The Role of Auditors in Developer Productivity Engineering (DPE)
    • 11:29 The Challenge of Breaking Silos
    • 21:53 The Divide between Developers and Other Departments
    • 27:59 Reducing the Negative Side Effects of Unrestricted Development
    • 28:24 The Role of Automation in Auditing
    • 31:24 Reducing Developer Toil through Developer Productivity Engineering (DPE)
    • 34:09 Partnership and Breaking Down Silos
    • 39:07 Reframing Auditing as Fighting Cyber Criminals
    • 40:58 Exploring the Complexity of Auditing and Governance, Risk, and Compliance (GRC)
    • 42:16 Empathy and Partnership in Auditing and Governance, Risk, and Compliance (GRC)
    • 43:11 Bridging the Gap between Developers and Auditors
    • 43:40 Overcoming the Toxic Mentality in the Tech Industry
    • 44:40 Outro & Follow Justin

    Afficher plus Afficher moins
    46 min