objectives. When combined with Agile and Lean practices, this approach can focus IT planning, reduce risk, eliminate waste, and provide a supportive environment for teams engaged in creating value. If you month, you can find the handout for Part 2 on the Agile4Defense GitHub page at: https://git.io/JeaO2 Risk The presence of uncertainty is the simple reason why Agile approaches work better than plan-driven business value by adopting an intelligent attitude toward risk. Risk is the chance of a negative impact resulting from uncertainty. We can reduce risk—often at a cost —but there is generally no way to eliminate

time through incremental investments.  Managing the EA asset is an art, just as all strategic management is an art. Just as the CMO must sense market opportunities, weigh tactics for communicating with of custom-developing systems that preserve many of the advantages of buying off the shelf.  The risk of developing a system incrementally and altering it based on user feedback is often lower than that away by frameworks and design patterns. Incremental delivery and staged investments reduce cost and risk.  Custom code is almost not custom these days. A developer incorporates open source frameworks

information is evaluated and debated; more similar to R&D lab. f. REDEFINE FAILURE AND ENCOURAGE CALCULATED RISK-TAKING i. Leaders reinforce the culture through their actions ii. Roy Rappaport, Netflix – a single testing efforts – Part 6: The Technical Practices of Integrating Information Security, Change Management, and Compliance 1. Introduction a. Goal to simultaneously achieve Information Security goals guidance as early as possible ii. Awareness and involvement provides better business context for risk-based decisions d. INTEGRATE SECURITY INTO DEFECT TRACKING AND POST-MORTEMS i. Track all open security

substitute for the outdated project view in my vision for what IT leadership must become. Uncertainty and Risk: Third, underlying all of these changes – all of the problems with plan-drive approaches, all of confusion about how to deal with uncertainty and risk. What I call the “contractor-control paradigm” – is really about trying to make risk go away, when risk really the essence of what we do. Complex Adaptive seek feedback on its work? How will it solicit feedback and guidance from management? How frequently will it engage management? I want to make sure that we have an understanding on how my input and feedback

forces a termination iv. Examples of potentially significant events (Gartner’s GTP Security & Risk Management group) 1. Authentication/authorization decisions 2. System and data access 3. System and Process to Increase Quality of Our Current Work a. Goal – enable Development and Operations to reduce risk before production changes are made. Keep the reviews and approvals close to those whom are knowledgeable control failure – seems valid since we can imagine better control practices could have detected the risk earlier prevent the issue or could have taken steps to detect and recover faster 2. Accident due

& practicing continuous integration & testing iv. Automating, enabling, and architecting for low-risk releases b. Integrating objectives of QA & Operations to improve outcomes 2. Ch. 9 – Create the and even higher job satisfaction and lower rates of burnout. 5. Ch. 12 Automate and Enable Low-Risk Releases a. Just like we reduce batch size and increase frequency of feedback during development control needs separate Operations groups have emerged ii. Widely accepted practice to “reduce the risk of production outages and fraud” iii. DevOps goal – shift reliance from separate groups to other

have nothing to fear. Any Leader needs to be brave enough to allocate teams to do some calcuated risk- taking.” 8. Ch. 6 Understanding the Work in Our Value Stream, Making it Visible, and Expanding it

 working off a single backlog of features, driven by vision and roadmap  product and release management, release planning  program psi objectives  common sprint lengths - system continuous integration  business epics  architectural epics  kanban epic system – limit WIP  program portfolio management, enterprise architect  value streams  investment themes - provide operating budgets for release

Development  Operations (Operational Waterfall)  Infrastructure Ops  Product Ops  Product Management  Every technology under the sun  Solaris, Windows, Linux  Apache, IIS, TCServer, etc.  homogenization and assimilation – no snowflakes  Deployment methodologies, automation, monitoring, and management tested continuously. Steve Barr steve.barr@csgi.com @srbarr1 Overall Quality improvements, “it”

Security Stack enables: correlated and centralized logs, container security, east/west traffic management, a zero-trust model, a whitelist, Role-Based Access Control (RBAC), continuous monitoring, signature-based This can also be used to send notifications when there is anomalous behavior. 4. Vulnerability Management 5. A service mesh proxy to connect to the service mesh 6. Zero Trust down to the container