Selecting an agile methodology for your organisation is an important process that brings with it numerous benefits: faster development, greater collaboration, an easier time meeting compliance standards, and more. However, the fact is that many organisations aren’t using the best fit methodology for their specific goals and business environment.
In trying to find the right methodology for your business, you need to start by evaluating where you are currently. This blog is based upon some of the high-level challenges that are commonly seen within environments that use Agile methodologies and shares three key questions to ask when evaluating your organisation’s current security position.
To provide you with a clear understanding of how the responses to these questions should influence you future decision-making, each has been broken down into:
- Common challenges – what your organisation is currently experiencing;
- Impacts – what this means for your organisation;
- Solutions – what you can do to improve this.
1. Are Independent Security Audits or Reviews Used to Assess Security Control Implementation and Effectiveness?
The speed of relevance – Many modern organisations now focus on delivering projects and existing services, using an agile methodology and utilising a range of legacy and cloud technologies. If security and Governance, Risk and Compliance (GRC) practices are not embedded within these modern working practices, an organisation can be at risk of financial, reputational, or operational impacts.
Made by Waterfalls – Many careers, processes and systems may have been built over time using waterfall methodologies. Whilst agile approaches may be in use, some processes and approaches may need to be refined.
An incomplete Software Development Lifecycle (SDLC) – SDLCs are often maturing but can be subject to gaps when compared to best practices. SDLC risks should be assessed and managed by the organisation. This helps to inform decision making, such as resourcing and remediation plans to reduce risk to an acceptable level for the organisation.
Daily tools – It’s an unfortunate reality that not everyone understands agile methodologies or the associated tooling to a baseline level. There is often an absence of staff training for tools that are used on a daily basis. Teams establish their own working practices, but these do not always align or work well with the approaches taken by other teams.
Deviation from Governance, Risk and Compliance can result in legislative and regulatory non-compliance. This can result in significant fines or prosecution in the most severe circumstances. Further consequences can vary depending on sector.
Auditing and security testing helps to identify unknowns, verify security control effectiveness and to provide assurance that the organisation is doing the things it says it does.
A bad practice or absent capability within the SDLC or a build pipeline can be detrimental to the build that is released. A quick win or improvement to the SDLC can have a wide-reaching outcome.
Seek a common level of understanding for ways of working. Support new starters by teaching them what agile means, the roles different teams play together, the importance of collaboration and what security standards are to be followed. This can also be a useful reminder and opportunity to provide updates to staff for any amendments or changes they need to be aware of.
Audits and reviews provide assurances. If an assessment is overdue or if the organisation has never had one, the organisation could be exposed to risks, vulnerabilities, and deviations from best practice that they aren’t aware of.
Knowledge sharing sessions, lunch and learns and end of sprint demos are all examples of methods to help to establish a common understanding for a topic or technology, such as what a new project is about, lessons learned, increasing familiarity with standards or simply sharing what a new system or application actually looks like. These sessions can help spark further beneficial discussions and build relationships across teams
2. Is There Friction Between Teams or Professions?
Due to organisational, cultural, or sometimes just unexplainable reasons – there can be friction or misunderstandings between different teams or professions. This can result in teams that are working towards common goals, but not effectively working together.
Negativity can spread causing poor morale;
If teams are not communicating or collaborating effectively, this can result in gaps in security controls, GRC issues and the possible need for rework.
Use of collaborative sessions – to share knowledge and help build relationships between teams e.g.) lunch and learn sessions and threat modelling;
To be open and honest – encourage staff to ask questions, to ask for a walkthrough or overview of a solution or system;
For a consultant to work between the teams, providing an independent view, whilst working on specific objectives and can help to build relationships and understanding between the teams;
To uphold respect for other departments and professions.
3. Do Teams and 3rd Parties Understand the Organisations Security Requirements?
An absence of policies, standards or security requirements means that the organisation has not defined what staff or 3rd parties must implement or comply with;
In some cases, these requirements may be known, but staff are not aware of them or can’t find them;
TLDR (Too long didn’t read) – Lengthy documentation that could send staff to sleep is a problem for self-evident reasons.
Requirements are unclear or simply not met, which could result in a number of consequences including security incidents or reputational damage.
Increased risk or cost to rework;
Non-compliance with company, legislative or regulatory requirements.
Utilising a consultancy to refine/ deliver standards to implement a standard (e.g. ISO 27001) or to cover the latest technologies and approaches;
Awareness sessions/ workshops to convey key points and to gauge levels of understanding and compliance;
Communication plan – for new starters and current staff to ensure they maintain constant awareness, even as standards or technologies change over time;
People learn in different ways. GRC and compliance requirements can benefit from being communicated in different ways and frequencies (e.g.) security awareness program and awareness notes.
Audit and Review. Often organisations are focused on project delivery and operational processes. Audits and reviews should be used to measure the current levels of maturity, control effectiveness and compliance.
Consultants provide a wealth of skills, knowledge and experience that can be used to help an organisation to mature and achieve its security objectives or build a business case. A consultative approach also enables a common level of understanding and can help improve relationships between teams.
A consultant provides an independent and impartial view that can highlight organisational challenges, such as those covered above.
Standards such as ISO 27001 offer a basis to build upon – for a security management system and to have a logical approach to roles and responsibilities, security awareness, control selection and risk management.
Hopefully highlighting these 3 common challenges prompts discussion and possibly action! Addressing these problem areas will have a positive impact on security awareness and security control implementation. Not all points raised are specific to security, but can cause a number of unwanted problems and have a negative impact on the overall effectiveness of the organisations agile ways of working.
TLDR (Too long didn’t read);
Audit and reviews identify areas for attention. Achieving a baseline of knowledge and regular information sharing is time well spent. Building a positive culture and working on inter team relationships can improve staff morale and organisational performance.
To learn more about evaluating or improving your Agile methodology, speak with one of our team.
For more on this topic, please also see Jack Pye’s recent blog post ‘Threat Modelling in an agile world.’