How Agencies Can Align Agile Principles to Improve Their Cybersecurity Posture
In This Article
It is almost hard to believe that it has been 20 years since a group of 17 individuals gathered at the Lodge at Snowbird ski resort in the Wasatch mountains of Utah and developed the Agile Manifesto, thus coining the term agile to describe a methodology that would transform the way software is developed. It is unlikely this group fully understood the effects of their manifesto at the time or the applicability of the principles behind their manifesto to other areas of IT, including cybersecurity.
This article will focus on how agile principles align with practices of a high performing security team, and how an organization can use these principles to improve their cybersecurity posture. The high-level concepts of embracing change, creating better communication and feedback loops, and empiricism are at the root of many of the agile principles — and are also best practices for a high performing cybersecurity program.
Just as it is necessary for agile teams to embrace change to provide the desired product, cybersecurity teams need to be able to pivot strategies and activities to keep an organization secure.
In agile, embracing change means accepting changes, even late in the development cycle, to maximize value of their delivered product. This value is realized through working code, which is created incrementally and iteratively. The prioritization of what the development teams are working on is decided by the amount of value a set of features or capabilities brings to the organization. This prioritization changes when the organization adjusts which feature sets are deemed most valuable based on market factors, consumer trends, etc.
Similar to agile, cybersecurity teams need to be able to pivot their activities, ensuring they are working on those activities that provide the maximum value to the organization. In cybersecurity this often means working on those items that have the highest levels of associated risk. Just like in agile development, the cybersecurity team needs to constantly be evaluating which activities they should be prioritizing.
As an example, let’s review a potential scenario involving the prioritization of patching for an organization. Let us suppose that a common vulnerability and exposure (CVE) is issued with a medium severity level. A medium severity would in many patch management programs necessitate remediation within 30 days.
A 30-day timeframe could equate to remediation of this vulnerability being prioritized relatively low at time of issuance. However, if it is discovered post issuance that the CVE has associated malware that has been seen in the wild, and that it is remote code executable, and then associated attack vector begin to trend and significantly increase in frequency, that security team will want to quickly re-assess and re-prioritize their activities.
In the example use case provided, that medium CVE may now be prioritized very highly on the list of activities for the cybersecurity team, and rightly so. If the cybersecurity team does not embrace change and reprioritize their activities there could be significant risk, potentially leading to negative impacts to the organization.
There is a reason why the topic of communication shows up in two of the four agile values found in the Agile Manifesto and in more of the supporting agile principles than any other topic. From collaboration with other teams and the business to constant feedback loops as a part of the agile ceremonies and processes, communication is obviously one of the most important topics in agile.
In agile, communication internal to the development team as well as communications with teams and individuals outside the development team are both essential. Communication within the development team is needed so that work progress can be tracked, other team members understand internal dependencies, and most importantly so any impediments to their work can be resolved. Communication with other teams is needed to make sure architectural runway is developed in time to support development activities and sprint goals continue to align with desired capabilities of the organization, to name a couple of examples.
Communication is also extremely important within cybersecurity teams and between other teams. Borrowing directly from agile/scrum, I know multiple practitioners (including myself) who have implemented daily stand-ups within their cybersecurity team. Similar to their benefits in agile, daily stand-ups in the security team help other members understand if there are internal dependencies to completing their work. Also similar to agile, the biggest benefit of a daily stand-up is that cybersecurity management can be alerted to any impediments preventing their team from completing their planned work and then work with leadership from other teams to clear those impediments and allow the cybersecurity team to complete their objectives in the time frame required to continue to protect the organization.
In order to illustrate the importance of communication between the cybersecurity team and external teams and stakeholders, let's take the example of a cyber incident affecting the organization. In this one example, there would perhaps need to be incident response preparations, training for handling the situation including data breach procedures, scenario testing and planning and tabletop exercises, and an incident communication plan all developed and tested in conjunction with other teams/personnel. Communication is at the core of both agile and cybersecurity team successes; neither can operate effectively in a vacuum.
I have heard seasoned agile practitioners say that no single word better sums up agile than empiricism. The same is true in cybersecurity, where a trust but verify approach is often used.
Empiricism is an experience and evidence-based approach to knowledge. To put it another way, empiricism relies on observation and experience as the primary ways of obtaining knowledge. In agile this means that teams and organizations find out what provides value and what does not through direct observation.
One example of this is the sprint review where the working software that created that sprint is showcased in a live demo for the stakeholder representative, or product owner. The product owner then determines if that software is indeed what is needed, or if they need to change direction.
Empiricism is also extremely important in cybersecurity and in many ways can mean the difference between compliance and true security. Compliance means that an organization “checks the boxes” in terms of security controls by showing adherence with a framework such as NIST SP 800-53. But compliance does not necessarily bring security. One big problem with a compliance-based approach to cybersecurity is that an organization gets a point-in-time snapshot of how well they are doing cyber. In some leading cybersecurity compliance frameworks, a full assessment only occurs once every three years. Obviously, a lot can change in three years, and three years is a substantial period of time where bad things could be happening in an organization’s IT systems.
And there is no consideration to things like how likely is a particular vulnerability to be exploited in an organization’s system, or how critical is the data in one system versus some other organization’s systems, so you get sort of a one-size-fits-all approach to cybersecurity. Organizations need a risk-based approach to prioritizing activities and resources, and this risk based approach is now being extended to allowing access to systems — something often dubbed now as Zero Trust. Zero Trust is rooted in empiricism, where things like configurations and system and user behaviors are observed in real time, not by people, but by purpose-built systems that use an evidence based approach to determine if actions should be allowed or denied based on the level of associated risk.
The government is more and more favoring empirical approaches to cybersecurity to keep critical systems secure, as evidenced by the Air Force Fast Track ATO released in 2019, which uses real-world, scenario-based testing of systems to determine how secure they are, and by the rise in use of continuous diagnostic and mitigation (CDM) programs and principles.
Why agile cybersecurity is more important than ever
Securing IT systems has only gotten more difficult over time, and the level of difficulty has accelerated due to external factors such as the outbreak of COVID-19. As organizations accelerate their digital transformations in order to provide better and ubiquitous online services in lieu of in-person ones, cybersecurity will need to keep pace. Adoption of agile concepts such as embracing change, optimized communication and frequent feedback loops, and empiricism will be critical for security teams to achieve and sustain this accelerated pace.
Continue the conversation with the TEC37 Security Series
To learn more about how to jumpstart agile adoption, I recommend streaming the video below from a recent virtual webinar during which I joined global executive leaders from WWT to discuss the key ways in which adopting an agile workflow for cybersecurity can lead to a more efficient environment through process consistency, enhanced project visibility and team collaboration across the business.