Security and Agility; they go hand in hand, right?
To be able to have a security approach that meets your needs but doesn't stop the business in its tracks needs to be Agile. But can and should security try to be delivered in an Agile way? Agile, as I am sure you are aware, is the latest buzz in project management. Agile as defined is (as per google dictionary) 'relating to or denoting a method of project management, used especially for software development, that is characterised by the division of tasks into short phases of work and frequent reassessment and adaptation of plans'. So taking this approach can it truly be applied to security? Short phases with clear defined outputs sound great and I can understand why clients would like well defined and clear outputs that can be delivered in 2 possibly 3 weeks at a push, but is this realistic?
So lets look at this.
The Agile methodology works around small projects called sprints. Sprints are small tasks with a clearly defined and set deliverable (although this doesn't guarantee the output expected). So I want my websites to allow my client to choose a product and pay for that product electronically and in a secure way? This is a good, clear deliverable with a set demonstrable outcome. Great. Agile could work. I want a new security solution for my business... mmm this is when Agile starts to no longer be Agile. You can split this task into separate components such as requirements capture, design, POC etc... But this isn't truly Agile. As going into a sprint, the requirements need to be well defined and the client needs a clear deliverable that demonstrably works and can be done in bite size chunks no more that 2 weeks preferably. A design doesn't do that, it shows a potential option or approach, however it's not a true Agile deliverable as it's only part of a deliverable. Of course security can very much be part of an Agile process as part of an overall requirement, e.g. I want my clients to be able to buy my products through my website and it must be secure.
So what should be in place to run an Agile security project?
To be Agile the requirements have to be very clear and well defined from the start.
The client has to be very clear on what they want. As at the end of a given sprint the client / product owner must be able to say yes or no. For example, you asked for a red box. I have produced a red box. Is this what you expected?... Yes or No? Yes. Great. Now onto the next requirement; it needs holes, and so on.
Agile does seem to follow the path of fail fast which is great - limited exposure and limited cost. However, failure of programmes tend to be due to unclear requirements, scope creep, and lack of client engagement and knowledge about what they want, which goes against the Agile ethos. Of course, misinterpretation by the provider is also a factor, but Agile doesn't protect you against this. For example, you asked for a red box. I have produced a red box. Is this what you expected?... No, I didn't want corners... ok be back in two weeks. Ok, slight exageration but you get the point. So you could have multiple failed attempts.
This means that for a sprint you have to be able to carry out a full development lifecycle for the deliverable for that sprint, from design to implementation to test. So why is it people read a word like Agile, think 'that sounds great' and fail to understand what the approach is and how it works and more importantly what it is designed to do. I have heard that Agile replaces the 'V' or Waterfall model, which in a sense it does with lots of short sharp implementations of the V or Waterfall approach for software development.
However, I do see parts of Agile that can work for Security. I am always fond of a good story; it's the story that sets the start of the Agile process. If somebody can articulate what they are trying to achieve in the form of a story which focusses on a business benefit or a set outcome as a service delivery or consultancy company, this makes life a lot easier and allows for risk reduction and accurate timing to take place. But this doesn't mean I can follow a true Agile process to deliver the outcomes / requirements of that story.
As people, are we too quick to jump on a keyword because it sounds good rather than it is the right thing to try and apply. As mentioned above doing a requirements capture sprint and then elongating the process to say 8 weeks is not Agile and shouldn't be described as such.
What are your thoughts? Have I missed the point? Or, should I embrace peoples' enthusiasm to take a process and change it beyond recognition to make it sound like they are doing something special and that this is going to miraculously drive better outcomes than previous projects?
Let the conversation begin...
After a fantastic career working for some of the best system integrators in the world, I have now taken the plunge to build my own business and concentrate purely on my true passion, resolving challenges and protecting organisations against the global Cyber Security threat.
As of today, TRaC Defence Limited officially begins...
I have had memorable experiences and thank everyone who has helped me get to this stage in my career, where I can now start to carve out my own niche in this amazing market space. Throughout my career I have been able to work within all elements of cyber and information assurance capabilities across most market verticals allowing me to understand what I like and where I naturally fit.
Things I have learnt along the way:
Solutions don’t have to always be complex.
Get the basic hygiene factors right first; these will solve 80% of the issues you will come up against.
People focus first; this is where most of your challenges will originate.
Policies and processes should be concise, nobody will read or follow 20 volumes of thou shalt not...
Technology should be applied to support people and policies and have a specific focus, whether that is to protect against true APT’s or well meaning employee’s.
Security and Privacy go hand in hand, it’s not just a digital problem.
Everyone agrees these are basic and not ground breaking in themselves but are still the major areas that organisations still fail to get right.
TRaC Defence has been born out of a passion for wanting to make a difference and focus on what is important, beating the bad guys and trying to keep what is left of our unreleased data secure.
TRaC Defence’s primary focus will be Threat, Risk and Compliance where we will help our clients put in place a balanced approach to protecting their organisations and clients data/information.
TRaC Defence is growing a set of partnerships with SME’s and vendors with complimentary capabilities and announcements about these will be made over the next few weeks.
If you are looking for support or guidance with your Cyber and information privacy journey please contact us and we can discuss how we can help you.
If you’re interested in following our journey please follow our blog:
@tracdefence on Twitter
As a Security professional I do like to pass onto my children, 11 and 14 the virtues of privacy and being careful when on line, especially when using social networks. One area I am always pushing is the power of passwords and login details and the fact that you should never share this and the reasons why. So Snapchat has a thing called Streaks, where you have to maintain a flow day to day about something you are doing. Apparently not maintaining your streaks is a life and death situation!!! 😂 Imagine my despair when my daughter says ‘my friend is going to do my streaks for the next couple of days as I know I'm busy’. So I ask ‘oh how does your friend do this?’ The response, ‘she has my login and password!’... 😱. I ask her if she sees anything wrong with this. At which the response is, ‘She is my friend, I can trust her!’ Aaaarrrrrggggghhhhh. So again we go through the dangers and risks, especially as kids are friends one minute and then enemies the next. As a parent how can we control this and more importantly what support should parents get, to instill the mantra logins are as sensitive as talking about personal things?... But this is not isolated to children. I recall an article recently where somebody on a train asked a fellow passenger to keep an eye on their unlocked laptop while they went for a coffee. We all know that people are the biggest risk.
So are the systems utilised for login of social media and computers now out dated? We talk about 2 factor authentication; should this now be enforced? e.g 2 factor authentication by default?
TRaC Defence are proud to announce their affiliation with the UK Cyber Security Forum.
The UK Cyber Security Forum is a social enterprise representing sole traders and small & medium companies (SMEs) who are actively working in cyber security.
Throughout my career I have engaged with a wide range of recruitment companies and head-hunters and have had a very mixed experience varying from abysmal through to excellent. Let me explain I like to be in control of my Career that means I like to know what I have applied for with whom and what is being done on my behalf to help me get at least an interview or discussion. At the discussion phase I do all I can to prepare at which point the success comes down to my ability to self-promote. However, is it too much to expect at least a call or an email at a regular interval maybe fortnightly to say we have had no feedback or the opportunity is dead?
As most of you will know I am in the process of building my own business. Although I know it may mean I take a slightly lower fee, I decided I would work with different organisations to help me get that all important first contract. But disappointingly recently I feel that a lot of the organisations I have engaged with (there are a few exceptions CND and InfoSec People for example where people count and they use Communications to their benefit) take your CV put it forward for roles and then forget about it? Is recruitment not a two way / three-way street (Recruiting organisation, Recruiter and Candidate)? I realise people are incredibly busy and the recruitment market place is a stack them high and push them through quickly approach so that a small percentage of wins provides the business with what they need to be profitable etc. I get that I really do. But should this impact common courtesies and customer service to candidates that are working with you and wish to take advantage of the opportunities these organisations etc have? Is it wrong for a candidate to ask for an update and expect more than a two word response? As at times I get the feeling it is felt this is wasting their precious time.
I do wonder if it is ever considered that if you work more with the candidates your win rates may actually increase and people will want to work with you in gaining suitably new roles or contracts? more importantly they will be your biggest advocates and drive people and businesses to you?
I guess this is a bit of a rant and a plea. if you are going to work in the recruitment and headhunting business please maintain Comm's it doesn’t take much and it really makes a difference to how people view your company and the market you represent. Or just as easily if you cant help say so, this saves a lot of time and allows all parties to move on.
I apologise if I have missed the point, but I too have little time and need to work with organisations that take me and my experience seriously.
If you are in the Recruitment industry and looking for candidates that will work with you for joint gain please ping me a mail. I would be interested in talk to you.