Security and the Theory of Constraints

Monday, January 16, 2012

Danny Lieberman

959779642e6e758563e80b5d83150a9f

Security management is tricky.  It’s not only about technical controls and good software development practice. It’s also about management responsibility.

If you remember TOC (Theory of Constraints, invented by Dr. Eli Goldratt about 40 years ago) there is only 1 key constraint that limits a system's (or company's) performance to achieve it’s goal.

So – what is that 1 key constraint for achieving FDA Premarket Notification (510k) and/or HIPAA compliance success for your medical device on a tight schedule and budget?

That’s right boys and girls – it’s the Business unit manager...

Consider 3 cases of companies who are developing medical devices and need to achieve FDA Premarket Notification (510k) and/or HIPAA compliance for their product.   We will see that there are 3 generic “scenarios” that threaten the project.

A key developer leaves and the management waits until the last minute

In this scenario, the person responsible for the software security and compliance quits. The business unit manager waits until the last minute to replace him and in the end realizes that they need a contractor.

External consultants (like us) start wading through reams of documentation, interviewing people and reconstructing an understanding of the systems and scope before we even start our first piece of threat analysis and write our first piece of code.

The mushroom theory of management

In this scenario, there are gobs of unknowns because the executive staff did not, could not or would not reveal all their cards in a particularly risky and complex development project that is not reaching a critical milestone.  The business unit manager calls in an outsider to evaluate and/or take over.

After 6 weeks – you may sort of think you have most of the cards on the table. But – then again, maybe not. You might get lucky and achieve great progress because the engineers are ignoring the product manager and doing a great job. Miracles sometimes happen but don’t bet on it.

We’re in transition

In scenario 3, a new CEO is brought in after a putsch in the board and things come to a standstill as the executive staff started getting used to the new boss and the line staff start getting used to new directives and the programmers stop wondering if they will still have a job.

Truth be told – only the first scenario is really avoidable.  If your executive staff runs things by the mushroom theory of management or you get into management transition mode – basically, anything can happen.  And that’s why consultants like us are busy.

Cross-posted from Israeli Software

Possibly Related Articles:
14632
Network->General
Information Security
HIPAA Management HITECH Leadership Development Software Security Assurance Medical Devices FDA Danny Lieberman Theory of Constraints Eli Goldratt
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.