Want to reduce your release cycle from 203 to 100 days \u2014 and make it more secure? Fannie Mae did. Vice-president of development services Michael Garcia credits lean, a quality improvement philosophy focused on maximizing customer value while minimizing waste. It\u2019s a tactic typically associated with manufacturers. Fannie Mae doesn\u2019t make widgets, and to benefit, you don\u2019t have to either. The lean mentality can apply to anything.Lean thinking shifts managerial focus across technologies and departments to optimize every value stream in your business providing products or services to customers. More simply, it\u2019s figuring out how to do better with what you already have. Every business department \u2014 especially information security \u2014 should want to do better. \u201cAt the end of the day,\u201d says Garcia (who left Fannie Mae shortly after our interview for another financial services firm), tech teams \u201care here to serve an organization and we need to do that in a way that's safe.\u201d Security intrinsically delivers customer value and, regardless of how good of a job you do already, can always be improved.Choosing a continuous improvement modelWhether optimization comes as the result of lean or from a competing system like Kaizen or Six Sigma, you must use some type of continuous improvement model if you want shorter development cycles that don\u2019t compromise security, Garcia says. He promises results: Lean not only cut Fannie Mae\u2019s cycle in half, but the company\u2019s now developing more code. Garcia adds, \u201cQuality has gone up by 50 percent over the same period of time.\u201d Fannie Mae started using lean in 2013, but if it hadn\u2019t, he continues, \u201cIt would have cost us hundreds of millions more dollars to deliver what we're delivering today.\u201dThis all sounds great for Garcia, especially as when started his job, the approach already had buy-in from Fannie Mae\u2019s CEO. Adoption was a top-down decision, he says, and mandatory for all departments. When you don\u2019t have a CEO driving change, how can you implement the right improvement methodology for your team?\u201cEmbrace agile, embrace debt-loss, embrace operational excellence.\u201d Those are the starting points Garcia suggests. Most quality models break optimization down into steps like this. In the book Lean Thinking (Simon & Schuster, 2003), authors Jim Womack and Dan Jones recommend you focus changes across three areas: purpose, process and people.For some companies, this might mean revamping organizational structure: How readily can development and security teams communicate? Do they simply Slack each other or does cross-departmental collaboration require an all-channels-approved, pre-scheduled, sit-down meeting? Simplifying communication processes saves people time so they can get back to the true purpose of their work.The lean mentality: Developing secure code from the startLooking for ways to cut waste across the three p\u2019s is a great start. For those who want help beyond that, Lean Enterprise Institute and the American Society for Quality offer training. However, there are no hard-and-fast guidelines for thinking lean \u2014 no rules or roadmaps you can follow to perfection. That\u2019s one reason some security officers might not like it: Lean isn\u2019t a process. It\u2019s a mentality.The upside to little rules is that teams become empowered to find their own ways to be more agile. In a lean culture, self-efficiency and self-improvement are inherent. \u201cIronically, the interesting thing is that when you actually do get [the mentality] right, then you can deliver things \u2014 integrate it in a faster way,\u201d Garcia says.New code is designed more safely from its foundations, he explains, \u201cbecause you're delivering smaller increments and you're testing them fast. You're testing them all the time and you also have a commitment to that.\u201d Smaller pushes are easier to fix, and engineers can more readily learn from those iterated fixes. Integrated communication helps security catch vulnerabilities before a commit.Six Sigma: A more structured approachFor those who prefer clearer parameters, though, there\u2019s Six Sigma, a trademarked process that breaks optimization down into five steps: define, measure, analyze, improve and control. If you think that\u2019s a lot to remember, there\u2019s this handy acronym: DMAIC. It even comes with a map. DMAGIC\/Wikimedia Under Six Sigma, if you wanted to make a code base more secure while it\u2019s still under development, you\u2019d have to follow these steps in order:Define the problem: Development is writing unsecure code.Measure \u2014 or quantify \u2014 their performance: Is just one line easy to hack or is the entire push bad?Analyze to determine the problem\u2019s root cause: Does development not know what they\u2019re writing is vulnerable, or do they not care?Improve addresses or eliminates the cause.Control looks for ways to keep it from happening again.Why Fannie Mae chose lean over Six SigmaFor Fannie Mae, Six Sigma requires too many steps. That 100-day development cycle was just for larger projects. Garcia says, \u201cFor many things, [lean is] much, much faster. I am basically responsible for delivering the agile DevOps transformation from the technology side, and we're partnered heavily with the business side on lean transformation.\u201d Because Fannie Mae supports the mortgage industry, he adds, \u201cWe had to look at rationing down our heavy governance that we had and integrating that into our technology so it's automated and faster and more reliable.\u201d Lean was right for them and he says, \u201cThe results show.\u201dIn addition to improving communication among teams, Garcia says lean helped Fannie Mae reduce the number of checkpoints in its system development life cycle (SDLC), adding \u201cmore secure, automated controls.\u201d He also says they developed \u201ca risk acceptance process that takes into account the way in which people make decisions,\u201d explaining that \u201cpeople will identify things all the time and people will make risk decisions.\u201dIf a full-blown system sounds ambitious, there\u2019s also Bayesian decision theory, which pits probability against cost to measure the tradeoff of any potential decision. It, at least, can help you choose the most optimized option:\u00a0\u201cIf you look at the Bayesian decision making,\u201d Garcia says, \u201cit's like, \u2018Yes, you're right. Here\u2019s a gap in that process, but we've been alright for 75 years and we've yet to have an issue\u2026. There has to be a risk acceptance process that takes into account the way in which people make decisions."Who knows? If management starts to see radical improvement coming from your team, maybe it will help them and other departments take security more seriously. Garcia says, \u201cWhat we have found in our transformation of teams and the way we work has been fundamentally getting that trust-base to enter the process when our teams work together. So, you have the security folks, you have the infrastructure folks, you have the lawyers, you have the business people \u2014 you have them all look at these problems in a way that really focuses on one thing and that's the clients.\u201d If you can cut waste and improve the security that customers receive, the business value will be undeniable.