Cover Feature Cyber Security
Information security meets scaled Agile By Anthony Langsworth
I
nformation security teams (InfoSec) suffer the curse and blessing of working with others. All InfoSec teams need to ensure others’ work, like infrastructure changes and product development, is secure and meets standards. Many InfoSec teams also need to farm out security-related work to others because the information security team lacks skills, capacity or authority. If a project team within the information security team’s organisation adopts or standardises on agile practices (commonly abbreviated to Agile), integrating security into Agile is not a new subject. However, traditional agile does not scale well, presenting challenges and opportunities to both the organisation and InfoSec.
An Agile Primer There are few people in the IT industry that have not heard about Agile. Based on a now almost two-decadeold manifesto, Agile focuses on delivering real value and minimises unnecessary work. A full discussion of Agile would consume many hefty tomes. However, Agile boils down to two main areas: (1) the
18 | Australian Cyber Security Magazine
mindset around delivering working systems, collaborating and building trust and (2) the practises and “rituals” to achieve this. Agile’s mindset consists of four tenants: 1. Individuals and interactions over processes and tools. 2. Working systems (initially software) over comprehensive documentation. 3. Customer collaboration over contract negotiation. 4. Responding to change over following a plan. Agile does not say to skip things on the right like documentation or planning – common criticisms of agile. It means to do a reasonable minimum of these to achieve the goal. The most common Agile practice is “scrum”. Work occurs in iterations or “sprints” of a few weeks. A sprint starts with a planning meeting, where the team pulls tasks from a single, prioritised list or “backlog” and commits to deliver what they are comfortable with in that sprint. Tasks are captured on a “kanban” board (physical or virtual), indicating who is working on them and at what stage they are in the process (e.g. unstarted, developing, reviewing, finished).