why innovation!
  • Services
  • Training
  • Who We Are
  • Reach Out
  • Join Why Team
  • Buzz
    • Y Community

Practical Insights on Securely Scrumming the Scrum

1/25/2019

14 Comments

 
Picture
by Sneha Sridhar, Senior Consultant of why innovation!
Cybersecurity gained utmost focus in 2018 with incidents across almost all industry segments - healthcare, aviation and not least, social media. As we roll up our sleeves to create more secure environments in 2019, here are few insights on aligning with cybersecurity frameworks in #Agile initiatives.
Categorise - Data quality and completeness of an asset inventory are key to start any Security assessment. Availability of end-to-end traceability of assets helps to analyse the impact of a security incident. In most organisations, this process is very people dependent or has little or no automation.
​
Involving the security personnel early on in #Innovation initiatives or investment decisions will help engage them right from the beginning – perhaps even before the Scrum. This is especially important for the initiatives with high business impact and asset value because it reduces the dependency on the asset inventory to a great extent.

Select – Business impact and asset value drives the selection of security controls along with the nature of the application or asset.  Selection of security controls requires the Product Owner to seek the input of Security Risk managers, Business and IT to collaboratively refine the backlog.

The risk management team must ensure that it shares a clear and easily comprehensible list of controls with IT and Business units – often best captured within the Definition of Done. Complicated language or jargon will only build resistance towards integrating and valuing these security controls.

Implement – A prioritised list of security controls will enable different teams to plan and incorporate security requirements in incremental sprints. This is crucial for project teams so that Security GO- or NO-GO criteria are known upfront and early on in their development sprints.

The Secure Development Lifecycle - #SDLAgile approach by #Microsoft also provides a practical way of implementing security controls by categorising them into one-time requirements, bucket requirements and Definition of Done.

One of the most common challenges is incorporating the penetration testing that is outsourced to various offsite locations. Even with the ever-growing use of automation penetration testing tools in Agile environments, manual penetration testing can still provide immense benefit.

I’d also like to suggest that the central team connect with outsourcing vendors through video calls rather than email communications; and include them in the Kanban board of the dependent sprint. Not only does it facilitate better communications, but also prompts more effective team collaboration.

Assess and Authorise – As Security Risk managers, Business and IT units work on the selection of controls collaboratively, the outcome of “assess and authorise” will be directly linked with the choice of control implementation. The biggest advantage of collaboration is that it reduces most delays that occur due to Security personnel’s authorisation before the release. This should be identified through roadmaps, or at least during backlog refinement and Sprint Planning.

Monitor – This is an iterative cycle questioning, clarifying and confirming if the existing controls are good enough for any new enhancements and changes in their functioning environment.
​
Security personnel’s bandwidth might take a hit here as these teams usually have small numbers. Many a times their efforts will be more concentrated on the new innovative initiatives and projects rather than existing assets. That is why training and coaching ‘security reps’ within each team becomes very critical - and is aptly supported by a clear Definition of Done.

In the words of Dwight D. Eisenhower, “We will bankrupt ourselves in the vain search for absolute security.”  Hence, it is critical to prioritise our security assessments, align our efforts based on the business asset value and not boil the ocean in the name of ‘security'.
14 Comments
Haseeb Qureshi
1/25/2019 02:20:00 pm

Very well comprehension

Reply
Manju Vasudevan
1/25/2019 03:27:37 pm

Thanks for the insights.....very Apt title. Learnt about SDLA. Nicely comprehensive info interms of Categorize, Select, Implement etc ......

Reply
Ofer Sheveki
1/25/2019 06:35:06 pm

Good and Important.
It’s help to understand the benefits of Agile Methods and the benefit of Secure development.

Thanks for the insights.

Ofer

Reply
Shruti
1/25/2019 09:30:17 pm

Very well written

Reply
Crystal Culp
1/25/2019 09:31:12 pm

Very informative and explained in a manner everyone can comprehend.

Reply
Sreejith Sreedhar
1/25/2019 10:22:08 pm

Very well explained in simple language..👍🏻👍🏻👍🏻

Reply
Catherine Lee
1/25/2019 10:55:44 pm

As technology growing faster so does the associated cyber security risk. It is very important to prioritize the identified risk and embed adequate security controls throughout the SDLC process..well-written and comprehensive articles, it's really insightfu!

Reply
Nithya Muralidhar
1/26/2019 02:38:41 pm

Being an audit and security person myself, this article hit close to home with its very clear description of the phases of SDLA and focus on involvement and collaboration between security, business and IT to derive maximum output of measures to build and maintain a secure and sustainable environment. Very well written!

Reply
Sneha
1/26/2019 02:52:56 pm

Thank you all !!

Reply
Deepashree Padmanabha
1/26/2019 08:25:08 pm

Good one. Checks and balances towards security in agile way of working is nicely put across.

Reply
Jagan
1/26/2019 10:22:11 pm

Good one Sneha. Well written and reflects a lot of what you experienced and learned in our last project.

Reply
Pankaj
1/28/2019 09:16:06 am

Absolutely Involving security from scratch help reduce cyber risk.. well written Sneha

Reply
Bhuvana
2/6/2019 01:00:31 pm

Very well written!!

Reply
Priya Gupta
2/21/2019 01:09:55 am

I like the idea of 'training and coaching ‘security reps’ within each team'!
Nicely put across!

Reply



Leave a Reply.

    Archives

    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    June 2018
    May 2018
    February 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    January 2016
    November 2015
    October 2015
    February 2015
    January 2015
    October 2014
    September 2014
    August 2014
    July 2014

    Categories

    All
    2017
    2018
    2019
    Ability
    Adatability
    Adoption
    Agile
    Agile Beer
    Agile Leadership
    Agile Transformation
    Asia
    Asian
    Australia
    Blog
    Business Modeling
    Business Model Innovation
    Buzz
    Challenge
    Change Management
    China
    CIO
    Coaching
    Community
    Compatibility
    Conference
    Congress
    Culture
    Cybersecurity
    Delivery
    Design Thinking
    Developers
    Digital Transformation
    Education
    Enterprise
    Entrepreneur
    Event
    Experts
    Flexibility
    Gala
    HongKong
    Hong Kong
    Human Resources
    Implementation
    Innovation
    InsurTech
    International
    Interview
    IT Consulting
    IT Leadership
    January
    Leading SAFe 4.0
    Lean Agile
    Lean-Agile
    Lean Startup
    Learning
    Lego
    Malaysia
    Management
    Manifesto
    Meetup
    One-size-fits-all
    Organizational Change
    PMI
    Press Release
    Product Owner
    Product-Owner
    Professional
    PSD
    PSM
    PSPO
    Red Dot Innovation
    Red Dot Innovation!
    Red-Dot Innovation!
    Risk
    SAFe
    Scaledagile
    Scrum
    Scrum Master
    Scrum-Master
    September
    Service Design HK
    Singapore
    Software
    Storytelling
    Success
    Teaching
    Totem Dance
    Trainer
    Training
    Transformation
    USA
    UX
    Values
    Vietnam
    #WeAreWhyers
    Western
    Why Innovation!
    Workshop
    YOW

    RSS Feed

Singapore

​#08-06/07 ARC 380
380 Jalan Besar
​Singapore 209000

Hong Kong

Unit D, 11/F, Splendid Centre
94-108 Larch Street,
​Tai Kok Tsui, Kowloon

ShangHai

#1107,1602 Zhong Shan Road (W)
​Shanghai 200235
CONTACT US
  • Services
  • Training
  • Who We Are
  • Reach Out
  • Join Why Team
  • Buzz
    • Y Community