« Try doing it with the engine running | Main | PCI DSS is not "one-size fits all" »

Risk assessment and the theory of constraints

Why do software projects fail?
It's been like trying to drink from a fire hose around here the past 6 weeks - I turned around and it's over 3 weeks since my last blog posting.

For some reason, July and the first half of August in Israel is one of the busiest times of the year. Q2 is typically a soft sales quarter and you would have thought that July and August would be vacation time where things are slowing down - but Israelis smell the holidays in September and pack in as much as possible before Aug 15th when the country really shuts down.

We're working on several software security assessment projects in parallel and I'm reminded again that risk assessment goes way beyond technical countermeasures.

The work is pretty intense and while the organizations are totally different - one is a large technology manufacturer, one is a small embedded software developer and another is a large government corporation.

If you remember TOC ( Theory of Constraints, invented by Dr. Eli Goldratt about 40 years ago) there is only 1 key constraint that limits system (or company) performance to achieve it's goal.

So - what is that 1 key constraint for risk assessments?

The CEO

In case 1, the lead security analyst who worked for the company left - the management waited until the last minute so we're wading through documentation and reconstructing an understanding of the systems and scope before we even start our first piece of threat analysis.

In case 2, the mushroom theory of management is being employed. Lots of unknowns because the executive staff did, could or would not reveal all their cards in a particularly critical development project. After 6 weeks - we sort of think we have most of the cards on the table. But - I'm still not sure. We are making great progress because fortunately - the engineering staff are doing a great job and using open source so everything is pretty accessible.

In case 3, a new CEO came on board after the initial vulnerability assessment and things came to a standstill as the executive staff started getting used to the new boss.

Without management cooperation - it's tough to do an effective risk assessment - I suspect this may be a common experience.

The methodologies about assume unlimited, frictionless cooperation from the customer. Maybe not.

Posted on August 10, 2007 4:13 PM |

Search


About

This page contains a single entry from the blog posted on August 10, 2007 4:13 PM.

The previous post in this blog was Try doing it with the engine running.

The next post in this blog is PCI DSS is not "one-size fits all".

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Creative Commons License
This weblog is licensed under a Creative Commons License.
Powered by
Movable Type 3.32