Can you outline why your team embarked on this project and the problem that needed to be solved?
At Boeing, stakes cannot be higher than human life, so we must align our values in all that we do.
External hosting, or cloud solutions as they are commonly called, are part of IT best practices. Yet external hosting presents unique sourcing risks in the domain of information security and partners’ vulnerabilities. Boeing is a security minded company – with large visibility and resources in the worlds of physical security and information security – so this mindset that “you are as strong as your weakest link” must be part of the sourcing process. In addition to the operational, financial, strategic and business considerations of cloud partnerships, Boeing has architected its “Fit For Use” process (“FFU”) to bring information security to everyone’s mind. The simple goal of FFU is to inform all stakeholders of a consistent, easily repeatable process to ensure business velocity and security in the cloud. This means that employees and vendors alike are presented clear, detailed information security expectations by the FFU process from outset.
How were things done originally and what was the inspiration to innovate the process?
Without a clear process, challenges in determining the fit of external hosting opportunities seemed ambiguous. Business requests to leverage cloud services were either not reviewed by Information Security at all, creating significant security risk, or, security assessments were ad-hoc and inconsistent. Information Security requirements were poorly defined and/or frequently missed based on differing use cases, posing missed security vulnerabilities. This inefficiency and lack of clear expectations often frustrated the interests of internal stakeholders as well as Boeing’s strategic partners.
Too often, that achieved a result of “no”- meaning that the business chose a safer and less risky option of internally hosting too much – and those costs were shouldered by the enterprise. With FFU, the business needs are clearly and timely articulated, and the Information Security assessments are performed timely — which maximizes sourcing spend and drives business-minded effective outcomes.
What KPIs did you use to measure success for this project? (For example: performance, customer satisfaction, revenue, sales or relevant financial gains?)
When the FFU process was implemented, it was crucial that stakeholders see tangible outcomes. Information Security (IS) created a set of KPIs to compare against, which included, but were not limited to:
Assessment timeframe: how long it would take an assessment to complete over the whole lifecycle of the request from intake to exit approval/rejection. In the worst cases for the initial process we could see this take upwards of nine months, in the best cases, three months. Our now worst case is three to four months, with best case being one week.
Rework to solution architecture: how many times required deliverables needed to be sent back to requestors & bidders for the deliverable to be considered “complete” with all relevant and required information. In the worst cases for the initial process this could be upwards of 10 times per deliverable, with a best case of two to three times. Our now worst case scenario is four to five times, with a best case of no rework.
Time for Service Providers to complete package: how long it took IS assessors to review required deliverables, a factor of the first two items; initial process worst case scenario could be up to five months of review time, with best case being two months. Our now worst case scenario is about two weeks, with a best case of two days.
Threats identified/missed: a measure of threats that were missed on initial assessments; our initial process had a worst case scenario of anywhere from four to five threats, with a best case of zero. Our process now has a worst case scenario (so far) of one to two threats, with a best case of zero.
How do you plan to ensure that the new model remains relevant and adapts to the future needs of the market?
Boeing’s information security has already anticipated this need. We have a process whereby we will update requirements at least quarterly and then compare against industry standards and threats at least annually. While the details of these processes are proprietary, we would like to highlight the importance of these practices since IT must always be at the cutting edge.
As part of the Emergent Technologies Security team, we are constantly working with emerging technologies and solutions to be able to learn how to better the process, particularly as it relates to automation. While the details of these processes are proprietary, we would like to highlight the importance of talking to vendors and staying abreast of emergent technologies.
Further, Boeing sells cutting edge security solutions to the U.S., U.K. (and other) governments – and used many of the same practices/technologies here, most of which are proprietary or classified. The value of this approach is both reducing risk and generating revenue.
What advice do you have for those who may want to implement this innovative approach in their own organizations?
There are two types of companies: those who have experienced a data breach and those who don’t know that they’ve experienced a data breach. Our FFU process helps create a third type of company, one that proactively defends against breach. This not only brings security to the forefront but also optimizes risks and opportunities based on the nature of the threat, safeguarding data against bad actors who may wish to steal or adulterate it.
Information security interests often force business leaders to choose either (1) work-around IT to host more quickly due to the length of review, challenges of engaging the right reviewers, and cost/budget implications or (2) a less risky option of internally hosting too much- and those costs were shouldered by the enterprise. Clearly there are partners whose core competencies include external hosting. While Boeing and other companies can certainly provide and maintain its own infrastructure- and to be certain we do much of this – there are advantages and agility to be gained by sourcing.
How did you get your company and/or stakeholders to get on board and support this project?
Frankly, the daily news makes the business case of security obvious and as stated above Boeing has a paramount regard for security. By articulating initial risks of leveraging the original process and showing data to stakeholders, this was a clear business case. We have provided examples of what threats currently existed, length of work (time) to implement a solution/properly assess, and additional data pertaining to the number of times a project had to get rework on average. Data-minded leaders gave quick support this project.
We believe that our security requirement provide a competitive advantage to The Boeing Company and will allow us to ensure that we are building security into our solutions. We are proud that information security is at the forefront of sourcing activities early on, and that there is a healthy tension not slowing down business velocity.
Again, Boeing’s customers trust that we understand how to handle sensitive data and we must make informed and careful decisions to share and protect that data. The FFU process and the requirements offered to our suppliers make information security the primary position of sourcing cloud solutions.