Anyone who has spent any hard time in a corporation or bureaucracy knows that there are certain management fads that make the rounds. There is no escape. It's going to happen and it usually happens for a reason.
For our previous CIO, whose job it was to reorganize the IT department it was Who Moved My Cheese.
Back then, if you were a middle manager and didn't have a copy of the book prominently displayed somewhere in your loser cruiser or on your desktop, you could end up being branded as some sort of corporate insurgent. It was everywhere. The most faithful always carried a copy with them to meetings to spread the faith whether they believed it (or read it) or not.
The latest CIO is proselytizing The 7 Habits of Highly Effective People.
Ugh. Not again. The less said about that nonsense, the better. That crap has been making the rounds for almost twenty years now.
But this isn't about cheese or habits or CIOs. It's about IT Security and the CSO.
A few months back, the CSO sent us this link (don't bother reading it, it is crap) to an article on "Lean Security" and noted we would be hearing more about it in the months to come.
Uh-oh. In my mind that meant "here come the budget cuts, kiddies!"
I dutifully read the article and before going beyond the second paragraph I got an erie feeling of déjà vu.
I knew I had read it before, but something was different. The subject had come up in the late 90s, but back then it was "Lean IT". As I read on I became convinced that the author had simply recycled the "Lean IT" article by searching for "IT" and replacing it with "Security".
It was an astounding epiphany. "What now?" I asked myself. Was this going to be the Next Big Thing industry-wide? In order to answer that I created - what else? - a Google News Alert for "Lean Security".
The were very few hits over the next few months, and nearly all of them pointed back to the same article the CSO had provided a link to. That settled the "industry-wide" question in my own mind. There was no buzz. Anywhere.
The CSO never mentioned it again.
This brings us to the sock puppets. It turns out there's a Lean Enterprise Institute. They've been responsible for distributing this crud for over 11 years. It figures. They even have a Lean Forum, and that's where my most recent Google Alert came from. It pointed to this thread, which goes like this:
Sock Puppet #1: I've read several articles of applying LEAN principles to security operations. Can anyone suggest additional readings? Just a really interesting concept for me. Thanks!
Sock Puppet #2: It makes sense. Security is just another process, with a specified outcome.
Sock Puppet #3: I'd be happy to discuss this topic with you. I have co-authored the original article on applying lean principles to security and will continue a series of columns in Security Technology & Design Magazine for the next 10 months.
Oh, brother. Nothing stands out like a self-serving clusterfuck.