Can security keep pace with agile development? Why strategy is key and how to devise a smart one


By Features 

Companies often attempt to rapidly inject change by rigidly forcing a transition to an agile development methodology.

The fast and disruptive nature of today’s business cycles means that IT and security leaders must incorporate agile processes in order to remain competitive and close the widening gap between development velocity and current security approaches. However, the reality is that many organisations still haven't (fully) adopted Agile methodology, and many are still only partially there with what is sometimes coined as ‘Wagile' (Waterfall-Agile). Transitioning to agile means to first outline a core set of principles for development and fostering a cross-functional collaborative environment by removing hard boundaries of teams. This initial activity sets the stage for both continued digital transformation, and more importantly, cultural evolution and adoption of DevSecOps.
Technology has permeated literally all areas of business and the term “digital transformation” is ubiquitous. As a result of this, we’re in an application economy, which means that software developers possess much more influence over many decisions in the enterprise. In fact, in a book by Redmonk co-founder Stephen O’Grady entitled, The New Kingmakers, the effect that technology has had on business and the power that developers wield in the enterprise is discussed at length. O’Grady believes that “Developers are the most-important constituency in technology. They have the power to make or break businesses, whether by their preferences, their passions, or their own products.”
But with power comes great responsibility and there also needs to be a level of accountability to balance out that power to some degree. Unfortunately, the security aspects of that responsibility tend to be an afterthought, or worse yet, completely neglected until it’s too late.
The reason for this is two-fold. First, security teams are not aligned organisationally with the development and infrastructure teams, so they are typically always behind when it comes to testing application updates and deployments. Culturally they are often viewed as an impediment to productivity and velocity, and the “Department of No”. Second, the security product and  tool sector is extremely fragmented and there is a plethora of disparate point-solution tools instead of comprehensive platforms that seamlessly embed into the software development life cycle and provide a strategic framework to build upon.  As a result, static and dynamic security tests are only performed periodically and there is little to no productive collaboration with the development teams.
Instead of taking a holistic, strategic approach to changing this situation, companies often attempt to rapidly inject change by rigidly forcing a transition to an agile development methodology. But this rigidity is the exact opposite of agile. This tactical overreaction often results in the aforementioned ‘Wagile’ methodology implementation, and neglects the time needed to determine the correct set of development values and principles required for a truly agile environment. Also, cultural transformation is an evolutionary process and won’t happen overnight as it’s about “winning hearts and minds”, which requires time to establish mutual respect and understanding. It’s also important to note that any cultural changes need to take into account the current and future business requirements.

The need for cultural transformation

There is no shortage of products and tools in the cybersecurity sector, and while a scale-out approach works well for infrastructure architectures, it’s not an effective approach for improving security resiliency. Each tool is unique in how it is used, and there is no standard, normalised output of results, so there tends to be an inordinate amount of time spent correlating and interpreting the results. Security teams are already short or understaffed, and that’s not projected to improve any time soon. Security testing needs to be completely aligned with the agile development process and seamlessly integrated into the SDLC using automation and orchestration. Continuous improvements in the core tenets of the DevOps culture -- collaboration, automation, measurement, and sharing -- need to be embraced by the security teams, which will transform the culture into what is known as DevSecOps.
The paradigm change that is a large component of DevSecOps is known as “Shifting Left”. Security testing has historically been performed outside of, or to the right of, the software development life cycle and CI/CD pipeline. In order to close the chasm that exists between the development and security teams, the organisational lines need to be blurred and security teams need to be an integrated part of the overall pipeline. Combined with involving the security team as early as possible, CISOs need to take a deep look at how their organisation is composed and understand the need for a strong group of engineers that both have deep security testing and remediation experience, as well as a thorough understanding of the software development process. As part of this organisational change, the CISO needs to establish quality relationships with the VP of Engineering, Head of Infrastructure, and whomever is responsible for the CI/CD toolchain.
CISOs have been articulating a desire for a “seat at the table”, and creating strong cultural bonds is the first step in building consensus and support for that goal. With the VP of Engineering, the CISO should strive to fully understand his/her initiatives and challenges and then find areas where security teams can seamlessly improve security testing and deliver assurance. A similar approach needs to be taken with the Head of Infrastructure. First determine where everything is (on-premises and/or Public Cloud), understand how updates are deployed, and once again, strive to deliver security solutions that increase resiliency. Security leaders need to show the ability to tie their organisations’ efforts to business outcomes and shift away from the “fear, uncertainty, and doubt” messaging. Establishing a “common language” is essential to the longer term success and helps create a strong bond across the teams.
To boil this down, agile development requires a cultural transformation. We’ve all heard the phrase “People, Process, and Technology”, and the latter two are far easier to change than the deep rooted convictions that exist in nearly every company. Collaboration is increased by first assembling a cohesive leadership team, creating clarity of goals, and then continuously communicating those clear goals. Improvements in vulnerability detection, remediation, and resiliency should be measured and shared across teams. Then, and only then, can security truly keep pace with agile development and enable a DevSecOps culture.
Mike Kail is Chief Technology Officer at CYBRIC
Image Credit: Wright Studio / Shutterstock

Comments

Post a Comment

Popular posts from this blog

How adopting an agile approach can optimize your business outcomes

Image
Jan 11, 2018, 3:15am EST INDUSTRIES & TAGS   Career & Workplace SHARE   Order Reprints   Save Article   Print Get Newsletters and Alerts Morning Edition >> Afternoon Edition >> Breaking News Enter your email address Sign Up Mark Langley Contributing Writer RELATED  CONTENT How to bridge the project management talent gap How to drive organizational change by making the most of sponsors Five management tips to improve project results Since an organization’s strategic initiatives are implemented through projects and programs that drive change, enhance competitive advantage and fuel growth, it is imperative that companies take a holistic approach to project management and select the project management method that best suits the needs of a given project.  Agile approaches can complement traditional project management methods to quickly meet customer demands in t
Read more

Why Agile Is Eating The World​​

Image
Steve Denning   ,   CONTRIBUTOR I write about radical management, leadership, innovation & narrative.     Opinions expressed by Forbes Contributors are their own. Image Wikimedia Commons: Brocken Inaglory Great white shark at Isla Guadalupe, Mexico. In 2011, Marc Andreessen wrote his famous essay, “ Why Software Is Eating the World, ” in The Wall Street Journal, leading to the cliché that “every company needs to become a software company.” (A useful update by Jeetu Patel on the situation in 2016 is here: “ Software is still eating the world .”) In one way, Andreessen’s 2011 article was remarkably prescient. In 2011, IT firms were looked down on by Wall Street. Andreessen was telling Wall Street: “Pay attention! These companies are more valuable than you think they are.” And Wall Street listened. In 2018, the five biggest companies in the world by market capitalization are IT firms: Amazon, Apple, Facebook, Google and Microsoft. But it turned out that Andrees
Read more

Agile Transformation? Time To 'Rehumanize' The Business

Image
Jason Bloomberg   ,   CONTRIBUTOR I write and consult on digital transformation in the enterprise.     Opinions expressed by Forbes Contributors are their own. The story of extending the principles of Agile to the organization as a whole as I discussed in my article   Digital Transformation Requires Enterprisewide Agile Transformation   earlier this year is so powerful, I decided to run two workshops on the subject. I presented the first workshop at no-code vendor kintone’s inaugural   Connect conference in San Francisco, then headed to Orlando for Rising Media’s   Building Business Capability   (BBC) conference, where I ran a longer version of the same workshop entitled   Agile Digital Transformation . You can imagine my surprise, therefore, when one of the keynoters at kintone Connect presented a powerful story of transformation that aligned with mine – although he didn’t begin his story with software as I do. The reception to my workshop at BBC, however, was quite di
Read more