If you ask most people new to Agile (yes, there are still some of those around), and especially if they’ve been slogging it out in the trenches of long, grueling projects…and especially in the public sector arena, you’ll get an almost universal reaction:
“Hell yeah! No more f—-ing process!”
And it’s kinda understandable, because process has become a dirty word. It’s done so because nearly every day, someone is beating someone else up about “following the process.”
Now, I’ve done it too…and I don’t guarantee I won’t ever do it again in the future either, but when I was writing the August Security Sanity™ newsletter over the weekend (all 40+ pages of the super-duper, nearly TRIPLE-sized issue), I really got to thinking about processes, and being effective…and the question on my mind was:
“How do you get people ‘there’ so they are really effective? How do you achieve the ‘individual’ capable of knowing what actions and interactions are required instead of blindly following a process?
And the answer is obvious: training.
But it’s not really obvious, or at least if it is, we don’t understand it when we actually develop most training.
Because most training programs take the attitude that if you just give people a book or a process or lots and lots of examples, then you’re done. You should “know”.
The focus is on knowledge, on what to do, and that’s why processes are so deceptively evil.
Because we think we can use processes as a crutch…actually, as a virtual replacement for something far more important:
Skill.
I talk about this on Page 8 when I’m talking about getting sucked into focusing on tactics rather than why we need a particular tactic in the first place.
And of course, we’d NEVER do that in security, right?
But how do you really develop a skill?
Love it or hate it, you have to give credit where credit is due. If you want to look at the masters of complex skill development, you only need to look at the Military.
Want to take a fresh college graduate and turn him into a combat pilot flying a $100M airplane and have confidence they’ll come back alive?
You sure don’t give him an 800 page book called “How to Become a Successful Fighter Pilot (and not get killed): The Step-by-Step Guide.”
That’d be that pesky elephant I was talking about the other day.
How about hostage rescue in a hostile foreign territory?
Oh, well, just go on to amazon.com and pick up the “Hostage Rescue in 10 Easy Steps” book. Give it a good read, and strap on your parachute!
It just doesn’t make any sense.
But that’s how we try and approach most things in the “real world”, and in particular the Security world. Literally 10’s of 1000’s of pages of frameworks, controls, standards, guidance are pumped out all the time, and we’re supposed to keep on top of them all.
Like if you give all the parts of a car and a set of tools to someone who really loves cars they’ll be able to somehow put them all together into a working automobile that won’t kill someone or explode…
Sure.
We don’t know what we’re doing, I mean collectively. We don’t have an idea how it all fits together, because if we DID, then we’d be less worried about all those details and more concerned on developing those skills we actually need to keep our organizations safe.
What are those skills?
Well some of them are in the August newsletter, but that’s not what I want you to take away today.
The point is that we don’t teach someone to fly combat aircraft with books and training…with processes they need to follow.
In order to be successful, they need to have a system they can use when everything else goes pear-shaped. And that system is something that will keep them safe because the skills they need are automatic.
And there’s only one way to do that: habits.
That’s why the Military can send someone straight out of University into a combat zone only 15 months later and have high confidence they’ll not only perform the mission, but that they’ll come back safely.
That’s why SpecOps teams like Delta Force, Seal Team 6 and the SAS can slip quietly into a situation, right under the noses of the bad guys, and have a high probability of bringing everyone home without the majority of people even knowing they were there.
Habit. Habit…after habit…after habit.
Piece by piece.
And while each habit encodes a skill that itself is just a tactic, it’s the system that makes sure they’re all done in the right sequence.
It’s the system that keeps everyone safe, whether it’s driving a car, flying a jet fighter or rescuing hostages.
What’s missing in security…at the highest levels…is a coherent system that would do exactly the same thing for us. Define a system that would keep us safe, and help us develop the right, critical habits that we can rely on every day, no matter what.
Because it’s a system implemented by the right habits that trumps processes and detail. That’s how you’ll always know what to do, or when “best practice” is giving you a bum steer.
And that’s what the individuals writing the Agile Manifesto had. They had the habits, and they had a system. And those meant that they always knew how to tackle any problem that would come up, and how they had confidence they could deal with uncertainty.
It’s also why people trying to “be Agile” don’t get it. They’re focused on the tactics and the rituals without understanding its the habits and the overall system they don’t understand.
And it’s a lot like security.
So if you’re sick of it, and you would like to have a system that would keep you and your organization safe…
…and that would help you develop the habits to allow you to truly deliver Agile Security from the enterprise to the microservice…
Then that’s what you’ll get in the August issue, but only if you subscribe before the deadline.
Here’s the link:
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
