Cyber Security for Agile Organisations

July 2018

There is no doubt in today's digital world that agile methods for software development have been successful. Organisational agility refers to applying these methods to the whole organisation (a.k.a the enterprise) to create an agile operating model across strategy, structure, people, process, and technology. The essence of all these is to be able to adapt and respond to the quickly changing environment of disruptive business models and technology.

Numerous examples of startups proved that being agile is imperative for the successful digital business. On the other hand, there is an ongoing debate if/how these methods could be scaled up in large organisations while maintaining their stability. Cyber security is one of the top concerns for many and new models and practices are needed to adapt cyber security to support agile ambitions and deliver assurances concurrently for security governance, risk, and compliance activities.

First things first, the traditional checklist approach for security controls is a no-no as it clearly hinders the spirit of agile where vision drives product (service) development and requirements may emerge or change overtime due to various factors, such as, customer feedback, innovation, market changes, etc. This volatile, uncertain and ambiguous situation is not desirable for traditional security functions as visibility and control is considered critical for governance, risk management and compliance (GRC).

Authority of security/GRC functions decrease in agile organisations as the business tends to move quickly to introduce new products to the market and reconfigure its structures accordingly. The partner ecosystem of the digital world is another factor constraining visibility and control over the components of the cyber landscape as information and systems extend beyond the boundaries of the organisation.

I propose an agile security architecture model to resolve the conflict here; with a reference and content model guiding to build abstract and coherent solution views for cyber security. The reference model organizes and coordinates security services with a common taxonomy and the content model provides pre-agreed abstraction layers (levels-of detail) connecting the business view to the technology view. The reference model is illustrated below and details are discussed in an earlier article here.

In the agile organisation, product development teams, specialists and security will build, develop and consume solution views in collaboration instead of traditional silo functions chasing each other for control assessments. Any stakeholder can build a solution view for the layer of its interest. A consistent and stable backbone will emerge over time providing enablers for agile delivery, and visibility & control for security/GRC. Traceable abstraction layers help to resolve the scaling problem of agile for large programs, and the common model and content repository help to eliminate hierarchies and silos in the organisation.

Easier said than done, more guidance is needed to structure the organisation clarifying security functions, roles, responsibilities, core activities and interactions. Recent discussions in software development communities suggest shifting security activities to development teams (i.e. security shifts left) as agile products are delivered frequently with small increments (features) and there is a continuous cycle of development and operation of services with blurred lines between them. The DevOps theme refers to this situation and supports agility with lean flow techniques, automation, and culture of shared responsibility between development and operation functions. I welcome the DevOps guidance and mapped ownership of the security domains in the reference model to the organisational functions.

Following the famous principle of Secure-by-design, empowering design & development functions is a good start for the services listed in the first column above (guidance by security functions without policing is always welcome!). I classify these services as security enablers hardening security of the product. Various technology tools are available to automate activities here, integrating security into the continuous delivery pipeline. These tools should be selected and used by all functions as per the shared responsibility culture.

Other services are classified as security controls building additional layers for protection (i.e. defense-in-depth). These are categorized as defensive, detective and responsive controls against hostile activity. Security services here need particular specialism as we move to the right of the illustration above and it seems reasonable to build those functions as individual disciplines sourced from operational functions and/or external partners.

Regardless of the choice, all these services need to be described as per a reference model and presented in a content repository as discussed above. This is for knowledge sharing across the organisation so that agile teams can consume existing security services—if available or build new ones in collaboration as required. The content repository will also serve security functions for governance, risk and compliance activities with least disruption to system design & development works.

Clearly, the mindset of security/GRC functions should change to embrace and facilitate business ambitions and balance them with protection needs of the organisation. There will always be weaknesses on large and complex systems and it should be assumed that cyber attacks and breaches will happen. Risk management strategies should be tailored accordingly to anticipate, adapt, contain and recover from the effects of breaches.

These are just some thoughts in line with agile concepts and methods. Agile deserves a separate article on its own and below list represents just a core set of its principles founding my arguments for cyber security;

  • shared purpose and vision with intense focus to the customer,
  • clear, flat structures, empowered teams, open environment,
  • rapid iteration, experimentation, feedback, continuous learning, transparency,
  • active partnerships and eco-system for innovation and agility,
  • automation, evolving technology tools and services,

Obviously prescriptive guidance contradicts the spirit of agile and every organisation should tailor its unique model as per its characteristics. The reference & content models for cyber security are just examples (not rocket science obviously!) and readers are welcome to use or tailor them to organize coordinate and direct cyber security activities in their agile journey. You may also check the "Architecting Cyber Security" article for the taxonomy and description of security services referred in this article.