“…make sure that the constraint is not allowed to waste any time. Ever. It should never be waiting on other resource for anything, and it should always be working on the highest priority commitment the IT Operations organization has made to the rest of the enterprise. Always.”
The Phoenix project
The NUMBER ONE constraint in Security department is people.
It is unlikely we can hire enough people to match the number of developers and operations engineers.
The way to free up our constraint (people) is to try to automate as many tasks as possible so that the people can do the things that are unique and contextual.
Another way is to take a preventative approach by educating developers and ops engineers on best security practices that they need to follow (this means secure by defaults configurations, having documentation and guides). The famous Netflix’s paved roads….
any improvement not made at the constraint is just an illusion, yes?
The Phoenix project