Involving the security personnel early on in #Innovation initiatives or investment decisions will help engage them right from the beginning – perhaps even before the Scrum. This is especially important for the initiatives with high business impact and asset value because it reduces the dependency on the asset inventory to a great extent.
Select – Business impact and asset value drives the selection of security controls along with the nature of the application or asset. Selection of security controls requires the Product Owner to seek the input of Security Risk managers, Business and IT to collaboratively refine the backlog.
The risk management team must ensure that it shares a clear and easily comprehensible list of controls with IT and Business units – often best captured within the Definition of Done. Complicated language or jargon will only build resistance towards integrating and valuing these security controls.
Implement – A prioritised list of security controls will enable different teams to plan and incorporate security requirements in incremental sprints. This is crucial for project teams so that Security GO- or NO-GO criteria are known upfront and early on in their development sprints.
The Secure Development Lifecycle - #SDLAgile approach by #Microsoft also provides a practical way of implementing security controls by categorising them into one-time requirements, bucket requirements and Definition of Done.
One of the most common challenges is incorporating the penetration testing that is outsourced to various offsite locations. Even with the ever-growing use of automation penetration testing tools in Agile environments, manual penetration testing can still provide immense benefit.
I’d also like to suggest that the central team connect with outsourcing vendors through video calls rather than email communications; and include them in the Kanban board of the dependent sprint. Not only does it facilitate better communications, but also prompts more effective team collaboration.
Assess and Authorise – As Security Risk managers, Business and IT units work on the selection of controls collaboratively, the outcome of “assess and authorise” will be directly linked with the choice of control implementation. The biggest advantage of collaboration is that it reduces most delays that occur due to Security personnel’s authorisation before the release. This should be identified through roadmaps, or at least during backlog refinement and Sprint Planning.
Monitor – This is an iterative cycle questioning, clarifying and confirming if the existing controls are good enough for any new enhancements and changes in their functioning environment.
Security personnel’s bandwidth might take a hit here as these teams usually have small numbers. Many a times their efforts will be more concentrated on the new innovative initiatives and projects rather than existing assets. That is why training and coaching ‘security reps’ within each team becomes very critical - and is aptly supported by a clear Definition of Done.
In the words of Dwight D. Eisenhower, “We will bankrupt ourselves in the vain search for absolute security.” Hence, it is critical to prioritise our security assessments, align our efforts based on the business asset value and not boil the ocean in the name of ‘security'.