17 Tech Leadership Lessons Learned from the Equifax Breach - Part 2
October 19, 2017

Electric Cloud recently hosted a special episode of Continuous Discussions (#c9d9), featuring Gene Kim and speakers from the upcoming DevOps Enterprise Summit San Francisco (DOES17). In light of the recent Equifax breach, Kim and the speakers dissected the situation and discussed the technical leadership lessons learned while offering their own expert advice for handling crisis situations.

The panel included:

■ Carmen DeArdo, Technology Director at Nationwide Insurance

■ John Allspaw, (former) CTO of Etsy

■ John Esser, Senior Director of IT and Data Center Operations at AdvancedMD

■ Mik Kersten, CEO of Tasktop

■ Scott Nasello, Senior Manager of Platform and Systems Engineering at Columbia Sportswear

■ Anders Wallgren, CTO of Electric Cloud

Start with 17 Tech Leadership Lessons Learned from the Equifax Breach - Part 1 for highlights 1 - 8.

The following are highlights 9 - 17.

9. What it really comes down to is doing what is right, advises Kim: "Let us not fool ourselves, when things like this happen regulatory bodies start getting involved, investigators are getting involved and I, as the leader, would want to get ahead of that. We're not going to do something to make regulators happy, we are going to do this because we know that this is what a responsible, successful organization does. That's something I would love to see from that leader."

10. Allspaw on the direct relationship to business success and complexity: "As you become more successful, you are proportionally becoming more complex because you are taking advantage of new opportunities. Therefore, you have to keep that ability, that capacity, to grasp new opportunities in step with investing in all of the things that you need to do to mitigate the risk that comes along with it."

11. It's important that business leaders understand technical debt, says Kersten: "In large organizations, if they don't understand that the trade-off between investment features and technical debt or even value stream improvements – as is the case – then you need to set a value stream that can actually patch struts and an architecture that supports that, otherwise they can't lead the company adequately."

12. The more you can reduce transaction costs around non-functional requirements, the more business buy-in you will receive, per Esser: "The spirit of the DevOps movement is how you make non-functional requirements, like security maintenance, that from a business perspective look like a liability, they look like they're costing me money. How do you reduce that transaction cost? The more you can reduce that transaction cost, the more the business is going to be amenable to you doing these functions."

13. It's all about getting in the right mindset, per DeArdo: "You have to have a mindset beyond, ‘I'm going to patch. I'll just keep up with my patch and the problem will go away.' Yes, you should do patches, but that's not going to solve the problem. You don't have the right culture mindset to drive a stride."

14. It's important that the technology and business organizations communicate with each other the reasoning for making certain decisions, advises Nasello: "Sometimes in the technology organization we may be constrained with vocabulary on helping our business leaders to understand why we need to continue to invest in availabilities or nonfunctional capabilities. Not understanding the broader context in the business domain of what they were using the technology organization for is a chronic conflict. I think what exists in all of our organizations is making hygiene, maintenance, everything else important along with business."

15. It's important to explain things in terms that each stakeholder will understand, advises Kersten: "Our CFO just calls himself an accountant and so we have to bring it back to those terms. And same with some of these CEOs – it's got to go back to business terms. In the end, it's about dollars and risk. In the end business leaders should be looking at net present value of the company. They understand if you've got high velocity, but extremely high risk, and this new application has sensitive information that's exposed, then the present value will be lower."

16. Getting security comes down to affordability, says Esser: "It's not the value of the investment, it's not the value necessarily of security. I can try to compare that value but, there's probability involved as well. In my experience you're always going to be able to do what you need to do as a technologist if you can make it affordable."

17. Allspaw doesn't think this is actually a leadership issue: "I actually don't think that there's a leadership lesson in here. There's a leadership lesson in apologizing, a leadership lesson in setting the conditions for the organization to learn, but again in the end it all comes back to faster, better, cheaper."

Watch the full discussion below

Share this

Industry News

August 08, 2022

Contrast Security announced that software composition analysis (SCA) is now available for free in CodeSec.

CodeSec offers free application security testing and SCA in a single, developer-friendly interface.

The new SCA feature will enable developers to easily identify vulnerable third-party libraries quickly and accurately, getting secure code moving in minutes.

August 08, 2022

CloudBees announced Anuj Kapur as President and CEO.

August 08, 2022

ShiftLeft named Stuart McClure as CEO.

August 04, 2022

Cribl announced a new partnership with SentinelOne. The partnership enables SentinelOne customers to leverage Cribl's observability product suite to streamline cybersecurity triage, optimize data collection, and provide security teams control of their data.

August 04, 2022

Seemplicity partnered with Checkmarx. The partnership will see the Checkmarx One Platform integrated within Seemplicity's Productivity Platform, allowing joint customers to simplify the entire find-to-fix lifecycle and ultimately accelerate the time to remediation of vulnerabilities found throughout the software development lifecycle (SDLC).

August 04, 2022

Rafay Systems announced new capabilities that empower enterprise platform teams to provide developer self-service for faster application deployments with the necessary guardrails enterprises require.

August 03, 2022

Armory announced the availability of its CD Self-Hosted and Managed 2.28 product release.

August 03, 2022

mabl announced the release of enhanced branching capabilities that enable software development teams to easily create test branches, compare different versions of tests, and resolve conflicts in parallel with development and at the rapid pace of CI/CD.

August 03, 2022

Appdome announced the immediate availability of ThreatScope, a Mobile Security Operations Center (SOC) that's fully integrated inside the Appdome DevSecOps build system.

August 02, 2022

Traceable AI announced the addition of extended Berkeley Packet Filter (eBPF) data to its platform.

August 02, 2022

Harness announced the general availability of Harness Security Testing Orchestration (STO).

August 02, 2022

LambdaTest announced the availability of HyperExecute, a lightning-quick intelligent test orchestration platform, in the Microsoft Azure Marketplace, an online store providing applications and services for use on Azure.

August 01, 2022

Retool announced major updates to its free plan for developers, which now allows teams of up to five users to build unlimited apps.

August 01, 2022

Hazelcast announced the beta release of a new serverless offering under its Viridian cloud portfolio.

Hazelcast Viridian Serverless enables companies to take immediate action on real-time data by speeding app development, simplifying provisioning, and enabling flexible and robust integration of real-time data into applications.

August 01, 2022

Exadel announced the recent acquisition of software engineering company Motion Software, which specializes in blockchain, AI, analytics, healthcare, and eLearning, and is the creator of a remote work platform that enables tech companies to engage with top digital talent worldwide.