Adopting Agile Principles in Cybersecurity
In this article
Agile is a buzzword you may hear a lot. The concept originally spawned from the software development world, but now chief information security officers (CISOs) are talking about it as a new way to lead a cybersecurity program.
A CISO's tenure is somewhere between four and five years depending on who you're talking to. And it's no secret that they're under pressure to be more responsive to the needs of the business, not only in terms of what they produce and how, but also how quickly business value can start to be realized.
Adopting an agile workflow for cybersecurity can lead to a more efficient environment through process consistency, enhanced project visibility and team collaboration across the business. But many CISOs still struggle with where to begin and end up with an ad-hoc approach that leads to project failure.
To jumpstart agile adoption, CISOs should first look to implement agile principles with more teams like security operations center and enterprise architecture, then to larger programs like compliance. They should also ensure the adoption of these principles is aligned with the organization's needs and strategy. With these steps in mind, there are several other recommendations to consider for success.
Successful adoption can require many steps before an organization achieves an agile cybersecurity framework at scale, and it will most likely look different depending on your organization's size and industry. The recommendations below are relevant to large enterprise organizations within the Fortune 500 category.
An agile framework is not a SKU you can buy from your favorite VAR. In order to create adoption, you first need to make business culture changes, and a helpful tool for this is a culture gap analysis. This type of analysis helps organizations identify what an agile cybersecurity culture looks like for them, what the values and principles are and how these principles map to SANS 20 or CSA-CCM. Once the analysis has been done, you should hold an internal workshop to confirm the culture gap analysis with select peers and key stakeholders of various teams. From here, you can build a successful adoption plan to start incorporating agile principles.
Defining use cases helps narrow your focus and aligns the adoption of agile principles to your desired business outcomes. For example, if you're looking to implement an enterprise segmentation strategy, using agile processes can help promote network and system readiness as a part of your rollout. This iterative methodology improves readiness by accelerating the identification of problems within an application or system. For instance, if a conformance test fails and there is a network segmentation configuration error, you will know to work with NetOps to address this issue. When the conformance test passing through the system is not working as expected, you know the network configuration is valid so there must be an application or system level error, which requires escalation to the owners of the impacted application and/or system.
In order to quickly show progress and allow for flexibility, a Fortune 100 company used iterative process techniques to create an enterprise segmentation strategy. This workflow consisted of 10-week sprints with two-week milestones throughout. The milestones consisted of tasks, deliverables and customer responsibilities, including interviewing key stakeholders to determine business drivers, prioritizing application candidates for segmentation, creating a network policy template, reviewing or creating network architecture design documents and finalizing zone architectures.
The primary goal was to take at least one application through the segmentation process. The outputs and lessons learned from this engagement were then leveraged by subsequent sprints.
In order to meet the Payment Card Industry Data Security Standard requirements, a Fortune 500 retailer needed to conduct a mobile application penetration test. Working with a tight deadline for release, the retailer conducted testing through five unique sprints. These sprints were a timeboxed effort, and were restricted to a specific duration. The duration was fixed in advance for each sprint and lasted two weeks in duration.
- Sprint 1: Code repo analysis, application build analysis, project structure, infrastructure discovery, application discovery
- Sprint 2: Unit test analysis, test coverage metrics, backward compatibility, infrastructure assessment, application assessment, static code analysis, remediation testing
- Sprint 3: Infrastructure assessment (final), application assessment (final), static code analysis (2), deep dive (optional – based on amount of complexity in Sprints 1-3), remediation testing
- Sprint 4: Final static code analysis, deep dive (optional – based on amount of complexity in Sprints 1-4), remediation testing
- Sprint 5: Final remediation testing
Although not a complete agile approach, using this subset principle (Scrum) kept the retailer from having to remediate a multitude of issues at the end of the test prior to release. This methodology also made the retailer accountable for its own process and empowered them to track progress, plan work and make changes.
To move in an agile manner, you must be willing to tear down silos and organizational charts and empower your team to make decisions. One way to do this is by creating a Security Center of Excellence (SCE).
One of our Fortune 500 customers did this with a focus on IT risk management and security. The SCE had representatives from various areas of the organization, including IT operations and business operations. These key resources were engaged to evaluate risk and determine acceptable solutions to remediate known vulnerabilities. The SCE met a minimum of three times per quarter and on dates and times specified by the Director of IT, Risk Management and Security. In order to address unusual circumstances that required immediate committee involvement, the director also scheduled meetings off-cycle. Regular attendance was mandatory for all committee members, however, a member could choose to send a delegate. The delegate is assumed to have decision authority equal to that of the absent committee member. The bottom line here is decisions are being made with transparency and input from others, but there is also accountability of the team driving the adoption.
This recommendation always reminds me of a quote from one of my favorite books:
– General Stanley McCrystal, Team of Teams
Even if teams agree on the areas that need improvement, there needs to be a way to knowledge share during the entire adoption process. Organizations should consider multi-team meetings and workshops to aide with team communication and prioritization. Additionally, to help with operationalizing information sharing, mediums such as intranet sites and other collaboration tools should be used and socialized for maintaining internal recommendations and documentation.
Today the industry must acknowledge that there is a multi-dimensional, transformation taking place. This change is driven by the digitization of the economy and forcing businesses to rethink the role of cybersecurity and its relationship to business outcomes.
If we look at any organization whether it is a global service provider, federal, state or local government, or private or public company there are two things we can guarantee about the business capabilities: products and services will become increasingly digital and require tighter security measures and business capabilities must operate in a more dynamic environment. The bottom line is organizations must be nimble against their competitors and threat actors, and an agile cybersecurity framework can help with that.