An interesting metaphor I had to come up with for a colleague in Product Security (not my employer, of course)

I had a conversation with a colleague in a Product Security team of a software company (of course, not related to my current employer). Had to come up with a metaphor for them to click with the idea. Thought I should share it here - no one opens this old blog anyway.

The metaphor is for vulnerability management and supply chain issues. While, in my personal view, there should no longer be separate, stand-alone “security” teams, this is about the collaboration of those teams with engineers.

Let’s put the words “security vulnerability” aside and use something that illustrates our customer’s frustration a bit better -

• Our customers are complaining about the horrid stink in our products.

• Our department’s primary goal is to ensure we are not shipping stinking products to our customers. Everything else is secondary to that.

• The strength (volume) of the stink is probably the most crucial metric we can try managing - not the knowledge of the specific source of the stink nor why it stinks the particular stink. For our customers, it matters very little what exactly stinks and where. It’s our product that stinks for them.

• Let’s focus on removing as much stink as possible as fast as possible.

• Of course, due to the specifics of our profession (Security), we learn to differentiate between objects that produce stink: it matters what exactly stinks to us. But all those details matter little to our customers.

• It’s wrong to focus on differentiating stink types and qualities and creating an encyclopedia of stink instead of focusing on removing it.

• We were lucky to discover that expired building materials produce most of the stink in our products. Also, fortunately, our products have modular construction, so our builders can easily replace those modules.

• Our team is an expert in detecting and differentiating stinky materials. But we are not the ones who built the product, nor do we have the means of fixing the problem ourselves - that would require access to building materials and expertise in construction, as well as access to storage and machinery.

• In our industry, it’s often the building materials that start producing stink quickly. While we can point to the source of the stink, unfortunately, we are not the ones to decide how exactly that particular stinky component of the building can be replaced, by whom, and how that action will affect the product.