Patrick Adams  00:00

Hello, and welcome to the Lean solutions podcast. My guest today is Glen Wilson. Glen is a management consultant specializing in DevOps, agile and security. He is the founder of dynamic net and holder of a certified Certified Information Systems Security Professional. We’ll learn more about that shortly. He is also the best selling author of the book, Dev SEC ops A Leaders Guide to producing secure software without compromising flow, feedback and continuous improvement. Welcome to the show, Glenn.

 

 

Glenn Wilson  01:02

Hi, Patrick. It’s a pleasure going to show you been a follower of your show for a while. So thank you for inviting me along.

 

Patrick Adams  01:10

Yeah, it’s good to see you again. Glen. Glen and I were both in Japan together not too long ago. So catching up, is always good with with a few of the the other people that that were with us, in Japan. And so I’m looking forward to this conversation Glen, just put in before we dive into DevOps, which is what I’m excited to hear a little bit more about. How are you feeling? With your return from Japan? Have you it’s been a while yet now. But actually you were you since Japan? You’ve actually been in the US as well, right?

 

01:46

Yeah, that’s right. So I’m living UK, in Canterbury in Kent. So I, I’ve been back back two or three weeks from Japan. And then I traveled out to the USA where I visited upstate New York. I basically went to the International Boxing Hall of Fame induction weekend, which I’ve been going to for the last 1314 years. So yeah, back in the States. And to answer your question. So coming back from Japan, it was an amazing experience to get to Japan. It’s been on my bucket list for a long time. I think I joked while I was out there that on my bucket list, I had an item that said to eat sushi in Tokyo. Four days before I could do it. But yeah. But Japan was an amazing experience, organized by Katie Anderson. And it was it was a great experience. I recommend it to anybody who, who has an interest in Japanese ways of working to go along to one of those definitely.

 

Patrick Adams  02:50

Absolutely. Glenn, what would you say was your you know, if you could pick one, one highlight or you know, even a couple different points in Japan that you feel like are worth sharing? What would be the two are the one that comes to mind? You know, an aha moment or something that you you say, you know that this is something that really impacted me in a big way when we were there.

 

03:13

Yeah, so for me, I think, being seeing exactly how things are done. You know, I’ve read a lot I’ve read micropowder. I’ve read Geoffrey liker, I’ve read it, you understand that and I’ve read a lot of books like that on the Toyota Production System, I’ve even gone back to retail to know and Shingo should go. So I’ve read a lot. But that doesn’t necessarily mean I’ve experienced that. I’ve experienced some elements of it within some of the organizations that I’ve worked for. But being able to go to Japan, and actually seeing it in action. And in ways done in Japan as well is it’s a thoughtless process, it is ingrained into the way that they do things. And I think that was such a big takeaway for me is understanding that it is part of the Japanese culture. So I know we’ve seen organizations in the UK and I’ve worked with a couple of them that have ways of working, that are similar to what we saw, but it’s not ingrained into the culture as such. But yeah, that was that was the big takeaway from me. I think another takeaway for me was I just remember seeing as children, we went, we went to an elementary school and the primary schools were saying UK and we saw some children cleaning the school now, which is a typical school in Japan, typical school. Now where’s every school in Japan, their children clean the school, they have no janitors in, in the schools. And that, to me, shows that there’s an element of respect but what that also taught me I work in security and security is possibly a subset of quality or the to very much overlap. And it just made me realize, actually, if you build security or quality into your daily lives, then you’ve got the opportunity to actually build products and deliver services that are more secure. Because you’re sticking grained into the way you do things. And I think that was another massive takeaway for me as well. However, we’ve missed the boat on it in Western culture, we don’t have children clean the school on second, we have to teach this stuff when we when these when people enter organizations, and I think, you know, that’s something which we still need to work on in the western culture. And, and that’s something we can’t take from Japan. So we got to work out for ourselves here in the West.

 

Patrick Adams  05:40

Right, right. So true, it’s funny that you use that example, I just recently had Stephanie Oliver, on who was also with us, in Japan, and she gave the exact same example of going to the school and said that that was the one thing that was really a, you know, a huge impact for her too. And I would agree, I just think, when you think about, you know, what, the Toyota Production System and the, you know, the the workers, when they were growing up in Japan, I mean, they were engulfed in, you know, a very specific culture that then helped enable a lot of what we now know is the success that came with the Toyota Production System. And it’s just really interesting to see, you know, how all of those different things that we experienced with, you know, the younger generation in Japan, how that, you know, rolled over then when we went and visited some of the some of the different production facilities that we went to. Pretty amazing, amazing stuff, for sure. Absolutely. So let’s talk about dev SEC ops. You know, this is a, this is an area where you wrote the book. And for those that are listening in that don’t know, what a Certified Information Systems Security Professional or think you say, sis, right? What what is that? And then then let’s talk about dev SEC ops. And what is Dev SEC ops? And what is the problem that you’re trying to solve?

 

07:13

Yes, assess. And that’s basically what I am a Certified Information Systems Security Professional, is basically somebody who’s qualified with ISC squared, an organization that also certification organization, to show that you have not only the depth of knowledge of security, but the breadth of knowledge of security. So there are eight domains that you need to be aware of. And you need to be pretty proficient at each of these domains to to pass the exam. It’s more for the management level. And a lot of CISOs that I am aware of tend to go down the route of gaining assists qualification. And it was just something I was interested in doing at the time. And yeah, so they can assist was was one part of it. But it’s interesting that there’s a lot of stuff in the system that is not quite, it doesn’t quite match what we need to do in DedSec ops. So def, as a system is very much based on information security done in a handover type way in a waterfall type process. And this is where the challenge is, and this is what DedSec Ops is trying to solve, really. So dev SEC ops. It’s it’s a merging of different types of philosophies. So you have an agile philosophy, which, obviously, everybody’s that’s in it knows about agile knows that there was the Agile Manifesto that came out of came out in 2001. Prior to that, you had people like Kent Beck, who was designing something called Test Driven Development, which was about writing tests first and developing the software after so it’s almost like, if you want to look at a PDCA Cycle isn’t it is like you planning you want your application to do. You write your tests, you then write the code that fixes the tests, and then you look to see what’s happening here. So there’s a PDSA PDCA, tight, iterative process going on there. And then out of that came Agile and Scrum I think, as well predates agile, but these things fit into into the Agile Manifesto. The Agile Manifesto is, is designed by developers for developers. So it was a great set of values and four values and 12 principles. And it really good for developers to actually understand how they can develop software in an iterative way. So it solved the problem of designing upfront developing and then waiting several weeks for test results to come back. And that would cause problems and because once you got the test results back, you’ve might have moved on to the project or you might have forgotten what you’re working on or what Worst case scenario, the developers have left the company and that, especially if they’re contractors, which we’ve seen before. So, DevOps is more like an evolution from the Agile. So rather than just doing development in, following the manifesto, a tool for developers by developers, we brought in the operations side of it. So the idea is, is that a developer not only develops a product, but then maintains a product. So we’re not handing it over the wall to a set of operations people to manage it, and then creating the same sort of problems where operations people will find problems thrown back to developers. But it could be weeks after the event and you’ve forgotten the code. So the idea is, is to bring the development and operations together into a continuous thread or continuous pipeline into development. It’s built into the into the build process. So basically, developers to code, they test it, they create the code for the environment, or even the operations team grade the code for the environment, they’re continuously working together side by side, in order to create this seamless migration from design through to production and into maintenance. So DevOps was aligning development and operations, but then security got a little bit left behind. So security is now it is in a situation where they are siloed out of the whole process. So the traditionally, and this is what the CIS teaches you, that you as as a security person, you’d want to come in and do some threat modeling on the designing of application, he then wants to look at the code and do code reviews and review the code. And then you’d want to do some testing, some penetration testing there, all of these have time lags. And you’re handing the code what you’re handing over to security to do the work, which slows the development and operation site down, it means that they can’t progress the work as quickly as they wanted to. So the whole idea of DedSec ops then was to bring in some processes to try and make this a little bit more seamless, but in a secure way. So we introduced things like automated security testing. So we have static analysis, and dynamic analysis, which look at your source code. And try to identify potential weaknesses within your source code. We have software composition analysis, which looks at third party libraries that you’re introducing into your code to make sure that they don’t contain vulnerabilities. Because that’s a massive problem, we’re having security. And that’s what eliminates some of the need for penetration testing. We still do need penetration testing. But it’s it means that we can progress a little bit quickly, more quickly and produce code and produce products and services with a fair amount of security baked into what we’re doing, without having to hand stuff over to security. And that’s what dev SEC Ops is trying to solve when there’s a problem of aligning dev ops and security.

 

Patrick Adams  13:19

Makes sense? Yeah. And obviously, I mean, a lot of what you’re talking about is outside of my threshold of knowledge, that’s why we have people like you. But I know, you know, I know, lean, I know, continuous improvement, I know agile, so obviously, a lot of those things that you’re talking about driving learning upfront, working together to drive out some of those hidden assumptions and, and really develop, have something that’s being developed that you know, is going to be the right end product. And now, like you said, bringing in security, because obviously, that’s important as well, especially in today’s world with, you know, all of the issues that we have, and obviously, technology is just things are changing continuously. So, obviously, I can see the value in that. But, you know, think about with with the designing, you know, these these different digital products that you know, are going out, you know, regularly and there’s all these updates that are happening on a continuous basis. How does, how does lean work into that? What, you know, what, what did digital organizations need to understand about Lean and how, how do they all come together? What are the important pieces that you know, that can be that can be learned, when we put them together? Does that make sense?

 

14:33

Yeah, sure. So. So the way I look at it is is lean is about reducing waste. So, you know, again, when I was in Japan, we saw these amazing robots that eliminated waste. We saw we saw the single minute exchange of dye in actually working, you know, which I always find fascinating, the story behind that, and it’s like, it’s very simple. That’s what you see in security, right? So, insecurity, we’ve had moments where it’s taken a security professional several hours, or maybe even days to do a penetration test of a product or service. And then to find defects, what we really want to do is find those defects really quickly, we want to find them as developers pretty much writing the code, or soon after. So reducing that waste of time of sending code to or sending products over to another team to do the testing, actually, at the point of when you’re writing the code is very important. I think that’s something we’ve learned from lean. I think also having the tools around you as well, you know, we’ve talked about the three S’s or the five S’s. It’s quite good to put that into context of software development. But I look at it like this and think that, well, we’ve got the tools around us in terms of the software that we’re the development environments we’re using, they’re accessible, we know what they look like, we integrate extensions into those ideas, so that we can test our code. So it’s all there in front of the developers. So the developer doesn’t have to go elsewhere outside of the team or outside of his IDE, and to do the testing. And to pull in the right elements I mentioned earlier, third party software, you know, all they need to do is just go to a site like GitHub, pull in an open source library, and that might solve a problem they have so and the problem they might have, it could be, you know, there could be loads of different open source pieces of software that solves that for them. So rather than writing it themselves and wasting time down there, they put an extra code. So I think that’s where lien can become a little bit more beneficial to software security. There is one thing I want to touch on, which is about how perhaps, some of those solutions are created other programs, which we probably need to address in cybersecurity, but I’m happy to come on to those a bit later. But for the moment, though, that’s, that’s, I think, how we can learn from the Lean movement and understand what we’re trying to do. When we think about DevOps itself. DevOps has five principles. The first principle is locality and simplicity. So we want to, we don’t want to have to waste time in terms of going up the organizational hierarchy to the head of a team, to then comes back down to another team so that we can get permission to do something. So think about that in security, you know, I’ve only write a piece of code, or develop a feature, I don’t want it to go to my manager, who then goes to his manager then brings up a board meeting, and does more, we got to wait for that. Yeah, so. So locality and simplicity, I should be able to make autonomous decisions at my level, and at the local level. That’s important. So that’s the first principle. The second principle is focus, flow and joy. So that’s the whole idea that we are not having to wait on anybody. Again, that shows we’re looking at Lean principles here. And the word joy is quite important there, right? Because what again, when I was in Japan, Joy was a word that came up over and over again, whenever we went to an organization, it was one of their missions was to bring joy into the workforce, bring joy to the customer, they weren’t satisfied. Customer satisfaction, they want customer joy, they want the customer to go out and proclaim that this is the best product in the world, to almost become a partner. So really the important thing we want that for developers, right? We want our developers to feel that joy when they’re writing go, they don’t want to sit there and frustrated, because they can’t do what they want to do. So that’s the second principle. The third principle is improvement of daily work. Now, that is kaizen. That is absolutely Kaizen is about bringing improvements into everything we do on a daily basis. So that could be bringing in automation, it could be introducing something called pair programming so that two developers can work side by side. And although that sounds like it is wasteful, in the sense that you got two developers working on the same keyboard, actually, it’s been proven to be more effective at reducing waste there because you’ve got you almost got some validation of the code almost as soon as you’re writing it. Right. So the fourth principle is psychological safety. So that has been able to raise questions of challenge the status quo guess and not feel afraid of it and being able to bring in New ideas without repercussions. So again, that’s taken from that Lean culture and the whole idea of you know, that anyone can bring up an idea. Again, when was in Japan, one of the companies or companies when it was basically said that each of the developers has a sorry, each of their engineers has around 100 ideas every year. There’s too weak ideas, you know, and there’s no fear there, there’s no fear of coming up with something silly or something stupid, everything is validated, everything is given a chance. And quite often, it’s just the the engineer himself will implement it or, or the small team around them. So that’s the fourth principle. And then the last principle is customer focus. So that that speaks for itself really, is that we’re developing this for the customer. And we need to think about the customer. For me, security is in an area where the customer focus, we sometimes forget that we quite often hear about it, we don’t want to breach a data breach, because we don’t want our we don’t want to damage our reputation. We don’t want to lose our financial status. We don’t want stakeholders to abandon us, or shareholders to abandon us. It’s very much about the organization. Whereas what I think we should be looking at is customer focus in the sense that we’re here, we’re actually looking after the customers data, the customer’s financial information. And we need to be very much aware of that and protecting our customers. This is not about reputational damage, it’s not about your financial gains or losses, it’s about our customers. And customers can be affected severely by breaches, you know, they could end up losing a lot of money, they could end up being very badly embarrassed. And we have heard of people that have ended up taking their own lives as a result of security breaches. So it’s, you know, it’s something we need to take seriously. But they’re your first principles of DevOps, and a rough guide as to how they saw like, marry up to the Lean principles. Not not fully, but but certainly there is a little bit of overlap.

 

Patrick Adams  22:17

Oh, absolutely. I can definitely see the connection for sure. And in a lean organization, you know, we’re trying to create a learning culture right that’s continuously experimenting that they don’t have fear of failure that they’re they’re learning things they’re reflecting they’re learning continuously. What does that look like for you know, in cybersecurity, going through those those five principles. It sounds like there has to be some intentional learning. That’s an added in each of those, what exactly what that looked like, you know? For Yeah.

 

25:07

It’s an interesting question, because I think dev ops and Dev psych Ops is still relatively new. I wrote my book, two and a half years ago, three and a half years ago. And it’s still very new, still very fresh, and it’s still evolving. But there’s one element I’d actually mentioned, which is security, chaos engineering. And that’s probably the closest to a learning organization. So the whole idea of this is that we are afforded the opportunity to run experiments that test certain theories about the security of our systems, services and our products. And the idea is, is we come up with these theories, we experiment and then with, with the experiments, when there’s a failure, we can then try to work out how to resolve the problem. And that is, in theory will strengthen the full system. But also by strengthen the whole system, we also have the opportunity to learn about systems because as this has become very complex, there’s a lot of complexity built into, you know, we’ve got multiple components now all integrating with each other, we’ve got different teams are working across many different geographies, that working on the same will the customer sees is the same product, but they’re made up of multiple components. So that that complexity, it becomes impossible really to hold that knowledge in your head. And so in order to learn our way through it, we need to start understanding, you know, the, the resilience of our of our system and how resilient we are to cybersecurity. So for example, we could we could take a you might have a credential that allows us to access a database, and that credential might have admin rights. If we chose to read only does it break anything? Well, that’s what we really want is that to be read only, but it might break something else, we’re in system. So what does it break? Well, we’re going to learn something about the system, because that has broken something somewhere. Or if it doesn’t break it, then that’s great as well, because we’ve learned that actually, we can change that parameter doesn’t affect what we’re doing. So either way, we’re still learning whether learn from failure or learn that we’ve actually don’t have to have that level of privilege for that particular account. So we, we can build that type of resilience into our products or busness into our products. But we also build resilience into our workforce as well, because the more failures that they’re having to deal with on a regular basis, they slowly become more acclimatized to failure. And, and can therefore can deal with it when a proper security incident occurs, they don’t, they’ll be able to think about how to do it, they’ll be able to think out of the box. And I like to use the analogy of a firefighter. So a firefighter, here in the UK, quite often our fire station, you’ll see like a four or five storey mock up of a building. And firefighters practice on that regularly, you know, I don’t know how often but Sonny is regularly. And they’ll go through other drills of like, you know, getting out there fire engines getting ready to go to an emergency, and then packing it all away. And, you know, because it’s just a drill. Now, they keep on doing that on a regular basis. But every time they go out to a real incident, they have no idea what they’re going to face. It is completely unique every single time. But they know how to deal with it. They know what to do not because I’ve seen it explicitly like that previously, but they draw on the experience from all that all the drills I’ve done. And I think when there’s security, chaos engineering, we can offer the same sort of opportunity by allowing our engineers developing the systems to practice over and over again, different scenarios to build that resilience, that knowledge and experience and learning how we can develop and create opportunities for improving our systems or reducing the risk to our systems through this practice, so I saw a big advocate of security, chaos engineering. And I think that is where the learning is probably going to be at its, you know, as we were learning should be basically. Yeah,

 

Patrick Adams  29:37

makes sense. Glenn, are you familiar with Menlo innovations and read Sheridan? We talked about that. Yes.

 

29:45

Yes. I am familiar with Yes. The they. You might have to remind me but yeah, I’m very familiar with them. I know that they develop software. They take an experiment Little approach to developing software.

 

Patrick Adams  30:02

I think they do. And they they also use to programmers to everything that they do so and also the CEO of Menlo wrote the book Joy Inc, and talks about joy in the workplace and stuff. So it’s like, everything you’re talking about is like completely aligning with my friend Richard and and the work that they do at Menlo. But I only say that because I was thinking about, you’re talking about security and zero defects and, you know, these different things that, you know, would be kind of the output or the ultimate goal of having, you know, good, good processes in place to code. And I think about what Rich does with with to two programmers. And then I hear what you’re saying. And I just, I have to ask the question, is it possible to have zero defects? Even Park? I mean, obviously, that’s what we want, right? And that’s why we’re putting some of these things in place. That’s why you’re talking about simplicity. That’s why you’re talking about Kaizen, you know, these different things, is it even possible to have zero defects

 

31:08

probably isn’t. But it’s, it should be an aspiration, right, we should be aiming for zero defects. One thing which I find, and this is one of alluding to earlier is that we create, with these tools that we’ve integrated into our delivery pipelines that discover vulnerabilities within our code. What happens is because we did we run them on code has never been tested before, we generally tend to find lots and lots of vulnerabilities we get, I mean, I’ve seen cases of 510 1000 vulnerabilities that are identified through running this, these tools, they’ll a vast majority of those are going to be false positives, right. So it’s very difficult to, for a developer to sift through them all and fix them all. So what we generally tend to do is pass that vulnerability onto the on to the customer. Because we can’t fix them all. What we try to do is prioritize them when we’re working, which was a critical, which ones are low. And then we work on the critical ones, and then we just let the low ones pass through. So effectively, we were passing a defect on a known defect on to the customer, I feel that what we need to be doing is looking at ways to address the vulnerability management problem that we have in cybersecurity. And it’s not about reducing a number of vulnerabilities to zero because we can’t do it. However, if it were we set as a North Star that we want zero defects, then we need to look at ways of doing that. And the sort of things that I can imagine that we should be doing is, rather than just running a scan across all of our code, let’s just start building the knowledge within our development team and say, Okay, we, we think we might be vulnerable to these types of defects because we have a database, so we might be vulnerable to SQL injection, we might be vulnerable to some access control type vulnerabilities. So let’s just introduce testing for those two elements. And just test that our code is actually okay or not, so we can develop a more considered approach to running those scans. And by doing that, we’re in control of the vulnerabilities. Now people will say, Yeah, but what about all the vulnerabilities you’ve got, because you haven’t run the scan as well. But we’re no different than we were. Before we ran, we’ve, you know, integrated the the application security testing tools in the first place, we’re no different. So let’s work with what we do have do to have knowledge of and start to develop ways to reduce vulnerabilities that way. Because what’s happening at the moment

 

33:59

is borne out by the fact that we see as a website that shows you all the different paper report comes out annually, that shows you the state of security in UK organizations, and it’s showing that we are having an increasing number of defects, the cost of the defects is is increasing. And we need to do something about that. Right. So DevOps has been around now for probably about a while he was first coined in 2009, in a conference in Ghent, but I think companies are really starting to pick it up on it since about 2015 16 When the DevOps handbook came out. And I think after that it’s become a little bit more prevalent. But we’re not seeing a reduction in the number of breaches, if something’s not aligned, something needs to change. And I think that we need to look at how we manage our vulnerabilities and how we focus on the vulnerabilities because in amongst all those vulnerabilities, there’s going to be low rated vulnerabilities that are actually critical. And we don’t know that yet, because they’ve not been exploited. But once they are exploited, we could be in a whole lot of trouble. So let’s be a bit more smarter about how we integrate these tools into our pipelines and how we configure them to detect the right types of vulnerabilities.

 

Patrick Adams  35:27

Right, that makes sense. And obviously, you talk about the vulnerabilities being a current threat as well as a threat into the future. I mean, I just think about, you know, technology, all the advancements in technology, you know, all these different organizations who have in the past, you know, maybe been, they didn’t have all the digital tools, all the, you know, digital products, and now they’re embedding those into their systems. And just that so many uncertainties, you know, as we go forward into the future, I mean, do you see opportunities for organizations to become more resilient? Or do you see those threats and vulnerabilities continuing continuing to just destroy companies? Or or, you know, what do you see for the future? I guess?

 

36:18

Yeah, I think I see for the future, I think we can see improvements. I think there’s a lot of movement towards improving the way we do security. It the the application security testing, and cloud security testing, and all that sort of stuff, when you look at the number of companies out there doing this stuff, and there are 1000s of them. And I believe that there’s some good ideas out there, there’s some great initiatives that are in place. And I know, I’m a big believer that the cream will rise to the top, I think we will start seeing some real good advancements in the technology to improve the security. I think some of the cloud providers themselves like Google, Amazon, and Microsoft, I think they are also producing some really good initiatives to reduce the risk of security breaches. And just recently, Amazon, for example, they changed the configuration of the what you call their s3 buckets, or s3 bucket as a storage location located on the cloud. Previously, you would have had to configure it to be more secure. Now as default is to be very secure, you need to relax it slightly if you wanted to do different things. But so I think some of the cloud providers are going to be producing better resilience. But then we still have the challenge that there are certain parts of security that the cloud providers are not responsible for, we’re still responsible for within the organization. There. I think I think security awareness is going to increase it over time, because it has become more and more popular in terms of is in the Daily News, we hear about security breaches. I know in the USA, there have been a lot of talk recently about making companies, you know, reduce their security risks. We’ve had the Biden, President Biden, as you’ve really seen some mandates recently about s bonds. We’ve had similar sort of legislation in the UK. So I think we are going to see some improvements. But but also, we’re facing more challenges. I mean, the threat from state actors such as Russia, China, North Korea, they are huge. North Korea, for example, they probably have a whole army of hackers, that are fully trained, highly experienced, very skilled, and working around the world. And when you hear some of the breaches that they’ve been responsible for, it’s been outstanding, what they’ve done, and it just isn’t one of the how the hell are you going to do you know, how can you fight that? It’s a challenge. But I think we are going to start making progress. It will, you know, it is a battle. And I think we’ll start to see some some gains over the next few years. And, but but it is going to be an ongoing battle, I think for for the foreseeable future. Sure.

 

Patrick Adams  39:27

Well, in this particular battle, there’s no one else that I’d rather have in my corner than then Glenn Wilson. So I don’t know if anybody heard early on in the interview here. When Glenn threw out that he was at the the what was it the International Boxing tribute? What was it funny? It’s a Hall of Fame. And Glenn, there’s also some I mean, you hold some some boxing records, don’t you? I’m trying to remember Oh, man.

 

40:01

Oh, no boxing. But yeah, so I was a British Champion in Powerlifting. Back in

 

Patrick Adams  40:09

powerlifting. That’s right. That’s what it was powerlifting and then

 

40:11

a little box down, I had three fights as a boxer, just to see what it was like. Yes. As you know, took up running as a result of boxing. So I was disappointed with the tour runner. So

 

Patrick Adams  40:27

that’s right. Yeah, very nice. Well, Glenn, it’s been great to have you on the show. Obviously, this is a very important issue that we’re talking about here. And it’s good to hear that, you know that as security, cybersecurity is being developed, and, you know, going into the future, that continuous improvement is a part of that process, and that, you know, that that you are working on software that’s going to be secure, and not compromise flow and continuous improvement, as your book talks about. If anybody’s interested to get a copy of your book, what, where would they go, where’s the best place to grab a copy?

 

41:08

Yeah, the best place to grab a copy would be on Amazon is in Kindle version, and is also paper version paperback version. So Amazon is the best place to go. I’ve got a small collection of signs books that I can send out. And if you wanted a copy of a signed copy, then they can reach me on.

 

41:28

Possibly LinkedIn would be the best place. And I can sort something out for them. And LinkedIn is probably the best place to converse with me about anything else as well.

 

Patrick Adams  41:40

Okay. And we’ll make sure that we put both of those links into the show notes. So if anyone wants to get a hold of you, Glenn, they can go right to the show notes. They’ll find a link to your book, as well as a link to your your LinkedIn page and they can reach out to you there. Well, it’s been great to have you on Glenn, good to catch up after Japan. Looking forward to continuing our relationship and working together in the future.

 

42:04

Yeah, it’s been a real pleasure to see you again, Patrick. And thank you very much for inviting me on to talk with your podcast.