Log4j, Continuous Threats, and Building a Continuous Transformation Culture

Posted by Matthew Grant on December 14, 2021

Blog_photo

When it became known last week that Apache’s popular software library – Log4j 2 – had a critical vulnerability, enterprise security teams sprang into action. The severity of the vulnerability and the widespread usage of the library (“this shit is everywhere – and I do mean everywhere,” one anonymous security engineer told WIRED) drove a real need for speed.

We moved quickly ourselves, mitigating the Log4j vulnerability in less than 48 hours. Yes, the LeanIX Value Stream Management tool played a critical role in our response. But technical solutions alone cannot create the level of preparedness all organizations must cultivate if they are going to deal with the next high profile, Internet-wide security crisis.

Continuous Threats Demand Continuous Transformation

It may just be a coincidence, but today marks the one-year anniversary of the first report on the SolarWinds supply chain attack. In that attack, hackers tampered with SolarWinds software updates and successfully infiltrated high profile targets within the US Government and Fortune 500 companies.

Although the Log4j 2 vulnerability is of a very different kind from the SolarWinds hack, both cases remind us of an inconvenient truth: Systems within organizations of all sizes are under constant attack and bad actors work feverishly to devise or discover new ways to circumvent our most sophisticated security measures.

In other words, the threat is continuous. It’s not just that some state actors pose an “advanced persistent threat” to this or that organization. The fact of the matter is, our software landscapes continue to become more complex and increasingly rely on an array of microservices and intricate dependencies that make the inadvertent propagation of potential vulnerabilities essentially unavoidable.

To meet this continuous threat, organizations must adopt a culture of continuous transformation. A culture of continuous transformation doesn’t mean that the organization is perpetually in a state of flux. It means instead that the organization is continuously adapting to changing market conditions, competitive pressure and customer behavior. And before any particular need for change arises, the organization is capable of and prepared to make that change.

In other words, a culture of continuous transformation means creating and sustaining a constant state of readiness for change. As a result, when the time comes, you can move. Fast.

How Automated Transparency Fuels Rapid Organizational Change

Organizational change, if it is going to be more than reactive, must be deliberate. Deliberate change requires a couple things. First, it needs a goal, a vision of the should be.

Second, to figure out how to get there, deliberate change needs an accurate accounting of the current state. Only in this way can you know what you are working with, the kinds of relationships and dependencies that exist in your systems, and how exactly to make the desired change happen.

Here’s a concrete example.

To address the Log4j 2 vulnerability in our own organization, we needed find out where we had used the software library. We could do that quickly and begin implementing a robust fix because we maintain an automated inventory of our services across the things we build.

As it turned out, there were instances of Log4j 2 in two of our products. But we didn’t have to waste time looking for them. We could already see them.

Rapid change requires rapid insight. Automation provides the continuous transparency that rapid insight – and a culture of continuous transformation – demands.

Beyond Alignment: Cultivating Real Collaboration

No matter how much data you collect about your current state, when changes need to be made, that data can’t do it alone. Neither can the technology. You need people to make it happen. The way they make it happen, the types of interactions this process involves, constitute an organization’s culture.

For transformation to be continuous, the whole organization – especially the way people make things happen – must transform. That’s why we refer to a “culture” of continuous transformation. It’s also why we believe there can be no continuous transformation without collaboration, without people effectively working together towards a common goal.

It is easy to see how the Log4j vulnerability and the response to it involves the whole business. On the one hand, directly addressing the issue requires a range of technical people. On the other hand, communicating with clients and the broader community calls for support from sales, marketing, customer success and company leadership.

Collaboration between these groups depends on effective communication. And effective communication rests on a common language.

In our case, our VSM tool provided this common language. It served both as the system of record for our services catalogue as well as a collaborative communication tool through visualizations and dashboards.

The role of such tools in providing a common language for a culture of transformation cannot be overestimated. Indeed, they can be judged on their ability to do so.

That being said, this isn’t about “getting everyone on the same page.” It isn’t about “alignment” and the rigid, inflexibility that term implies either.

It’s about making it possible for people to work together, whenever they need to, on the things that matter most at the moment.

Facing Uncertainty with Certainty

People associate change with uncertainty. And uncertainty makes people uncomfortable. Yet, change is unavoidable. We know this. So, how do we face it with certainty?

First, we take it seriously. I invoked the “continuous threat” above not to spread fear but to acknowledge the reality. A reality that feels particularly real at the moment thanks to Log4j 2.

Second, we ground ourselves in the present. Cataloging microservices, mapping the IT landscape, and so on are ways of doing this.

Finally, we commit to working together with a common language, shared tools and collaborative processes.

And then we change.