it’s not luck

I’ve learned a lot by coaching my son’s youth soccer team. At the beginning of last season, his team had several boys ranging from ok to pretty good players. The only problem was they wouldn’t work together.

They’d all either stand around and watch whenever they didn’t have the ball, or they would form a large cluster around whoever did have the ball.

Like bees to honey.

But then something happened. They learned to pass the ball when the other team swarmed after them. Pretty soon they were winning games. They were even coming from behind and not getting frustrated.

What does this have to do with anything?


Once we learn not to focus on ourselves and only our own activities and tasks, we can figure out how our activities can impact bigger goals and drive them forward. In essence, this is what the book The Goal by Eliyahu Goldratt is about.

Many think it’s just about lean manufacturing and reducing batch sizes. Nope – that’s just scratching the surface. Why do I say that? I read the sequel, “It’s not luck” where Goldratt applies the principles from The Goal to business processes.

The Goal is about getting everyone to work together to a common goal, namely helping the business make more money by getting its products out the door more efficiently and on time.

Incidentally, this thought process can be useful to break down complex problems into component parts. Large insurmountable problems can be made smaller and more manageable when everyone involved stops worrying about their own needs and issues and starts to look at the broader picture.

Applying manufacturing principles to security teams

Hopefully you see how applicable this can be to cyber security. Security teams can become not only more efficient and effective in their own workstreams. But they can also become business enablers and partner with the business to provide value in their project workstreams. The security team can bring vision that no one else has.

Security architects understand the applications and network better than anyone. Security analysts and engineers understand how the applications communicate and which teams use what tools and technologies. In short, the security team as a whole possesses a unique set of tools and knowledge that can help IT make systems more resilient to failure and less susceptible to breach.

If you’re not doing this, your security team remains just a cost center to the business.