,
14 tweets,
4 min read
Read on Twitter
A short(ish) thread about five digital service delivery practices that promote security, in case you don't feel like reading the whole transcript of my remarks to the ETHI committee:
First: Use (surprise!) research and design practices that put people first. You'll learn, not guess, what and how little personal data you actually need to deliver the service, how long you need to keep it, how to handle it, if/when to delete it. Don't need it? Don't collect it.
Second: Practice DevOps and continuous delivery. I can't emphasize this enough. Some gov systems still deploy changes only 2-4x PER YEAR except emergency patches. Got a security improvement but it's not an emergency? Be ready to sit in queue for months. The sites you use ...
... every day make 100s of changes daily b/c their teams and tech are set up for it. They get better faster and they can get safer faster. For my $$, modernizing our systems AND how we manage changes to them is the single most effective thing we can do to improve security.
Third: Assume there will be failures, and get good at reacting to and learning from them. In a perfect world every system would be 100% secure, but we don’t live in that world and we're not fooling anyone by claiming otherwise. Leading orgs build resilience by learning ...
... from every incident, large or small. We conduct blameless postmortems where staff know it's safe to be open and honest about mistakes. You learn more from acknowledging failures than from hiding them.
Fourth: Work in the open. We've all seen the blowback against orgs that stay silent about security incidents (or other kinds of project failures) for far too long. Building in the open reduces risk. It allows others to contribute and critique our work; it provides more ...
... incentives for everyone to get the code right instead of taking shortcuts; and it encourages the culture of learning from mistakes. (Not to mention all the other virtues of open-sourcing government code! 18f.gsa.gov/2018/07/12/the… )
Finally: Have strong feedback loops between delivery and policy. I don't think I was clear enough at the hearing about why this promotes security. Policy development in gov is often divorced organizationally from implementation. This leads to gaps in understanding, ...
... which contributes to unintended consequences like compliance theatre. This creates more work and drag on development, but *less* security, because it can incentivize shortcuts, blame and mistrust. continuousdelivery.com/2013/08/risk-m…
If delivery is informing policy instead of just being the thing that happens after policy is settled, that's less likely to happen. mikebracken.com/blog/the-strat…
Thanks for coming to my TEDx Ottawa talk ... actually it's mostly not mine at all: nearly all the credit please to @JohnMillons @boardom_ca @StevieRayTalbot @sboots for their work on this, and I'm surely forgetting someone(s). (sorrey in advance -- see, I'm learning 🇨🇦)
P.S. the "I'm American" line is much funnier live.
See I knew I’d forget someone. @ibash_10 provided valuable feedback too. Thx Imraan!
