5 practical ways to align cybersecurity with Agile

Cybersecurity saw more focus in 2018 with incidents across almost all industry segments – healthcare, aviation and not least, social media.

Over the next few years, the threat of poor cybersecurity implementation has only increased. Rapid digitilisation is as much a boon as it is a growing risk. Scams, hacking, the danger of A.I blackmailing and more grew out of this evolution.

Without proper and secure cybersecurity, companies leave themselves vulnerable to all sorts of attacks.

Even the lay person is prone to cybersecurity attacks through social media.

So, here are just five insights on how you can align cybersecurity frameworks with Agile initiatives for a more secure working environment.

Data quality and completeness of an asset inventory are key to starting any Security assessment. Availability of end-to-end traceability of assets helps to analyse the impact of a security incident.

In most organisations, this process is very people dependent or has little to no automation.
​
Involving the security personnel early on in Innovation initiatives or investment decisions will help engage them right from the beginning – perhaps even before the Scrum.

This is especially important for the initiatives with high business impact and asset value because it reduces the dependency on the asset inventory to a great extent.

Business impact and asset value drives the selection of security controls along with the nature of the application or asset.

Selection of security controls requires the Product Owner to seek the input of Security Risk managers, Business and IT to collaboratively refine the backlog.

The risk management team must ensure it shares a clear and easily comprehensible list of controls with IT and Business units. This is often best captured within the Definition of Done.

Complicated language or jargon will only build resistance towards integrating and valuing these security controls.

A prioritised list of security controls will enable different teams to plan and incorporate security requirements in incremental sprints. This is crucial for project teams so that Security GO- or NO-GO criteria are known upfront and early on in their development sprints.

The Secure Development Lifecycle (SDLAgile approach) by Microsoft also provides a practical way of implementing security controls by categorising them into one-time requirements, bucket requirements and Definition of Done.

One of the most common challenges is incorporating the penetration testing that is outsourced to various offsite locations.

Even with the ever-growing use of automation penetration testing tools in Agile environments, manual penetration testing can still provide immense benefit.

Also, as a suggestion, the central team can connect with outsourcing vendors through video calls rather than email communications; and include them in the Kanban board of the dependent sprint.
Not only does it facilitate better communications, but also prompts more effective team collaboration.

As Security Risk managers, Business and IT units work on the selection of controls collaboratively, the outcome of “assess and authorise” will be directly linked with the choice of control implementation.

The biggest advantage of collaboration is that it reduces most delays that occur due to the security personnel’s authorisation before the release.

This should be identified through roadmaps, or at least during backlog refinement and Sprint Planning.

This is an iterative cycle of questioning, clarifying and confirming if the existing controls are good enough for any new enhancements and changes in their functioning environment.
​
The security personnel’s bandwidth might take a hit here as these teams usually have small numbers. Often, their efforts will be more concentrated on the new innovative initiatives and projects rather than existing assets.

That is why training and coaching security representatives within each team becomes very critical and is aptly supported by a clear Definition of Done.

In the words of Dwight D. Eisenhower, “We will bankrupt ourselves in the vain search for absolute security.”

Hence, it is critical to prioritise your security assessments and align your efforts based on the business asset value, instead of spreading yourself thin by attempting to blanket everything in the name of security.