by Cameron Haight | January 14, 2015 | Comments Off on Re-visiting The Phoenix Project
Last year, I created a list of books that I really wanted to read. Today, that list numbers over 90 books that cover a wide range of IT-related topics. I had already crossed off The Phoenix Project as I read it shortly after it’s publication, but the novel is one of those rare books that I think you need to read more than once because of all of the “awesomeness” that it contains. So, over the recent holidays I took time in-between all of the festivities to read it for a second time.
When I first read the book, my initial hero was Bill Palmer, who as the acting VP of IT Operations, righted a sinking ship and demonstrated how critical a well oiled operations team was to the business. This, of course, shows my bias since I have been operationally-focused in some fashion throughout most of my career and as a community, we all seem to cheer when operations is viewed in a positive light.
Upon the second reading, however, my perception changed. Bill is still the key focus of the story and is still deserving of the majority of the kudos, but the person that I subsequently developed the most respect for was John Pesche – the Parts Unlimited CISO. Of all of the characters in the book, he had to change the most IMHO. He had to internally challenge years of security culture training and conventional wisdom and come to the conclusion that there had to be a better way – a way that was focused not on just protecting the business, but more importantly, enabling it. That’s a tough thing to do in any type of job but perhaps even more so today within the security and audit realms where the threats and the regulations seem to multiply every day.
I’m starting to see more of this behavior in the clients that I interact with. One particular financial industry organization that I’m familiar with constantly works with and encourages their audit (and security) teams to be business outcome-, and not process-focused. There is not only the constant re-assessment of the types of necessary controls (and processes), but also the extent of their applied scope.
For Gartner clients, my colleague (and one of The Phoenix Project’s co-authors) George Spafford and I wrote on DevOps and compliance last year here. In addition, Gene Kim, James DeLuccia (of Ernst and Young) and some others have put out together a DevOps Audit Defence Toolkit that is another valuable addition to the discussion. Now, on to the next book on my list!
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.