Monday, September 10, 2018

Agile Security Management - is that a thing? Should it be?

I just finished reading the updated version of "Adventures of an IT Leader" by Robert D. Austin, Shannon O-Donnell, and Robert L. Nolan.  I don't strictly work in IT any more (Information Risk Management) and I am not an IT leader, but what the hell it's a free country, and I have to keep tabs on what the management types are being taught to stay ahead of the game.

Anyway...

In one of the chapters the main character (who looks like a James Bond villain on the cover), is discussing project management with his subordinates and the discussion turns to Agile Project Management, which as many of you (yes, you, my imaginary readers) know I am not the biggest proponent of - mainly because I think it often gets used in cases where the traditional waterfall approach would be a better fit.  In this chapter of the book nine principles of agile project management are laid out.


  • Deliver Something Useful
  • Cultivate Committed Stakeholders
  • Employ a Leadership-Collaboration Management Style
  • Build Competent Collaborative Teams
  • Enable Team Decision Making
  • Use Iterative Feature Driven Delivery
  • Encourage Adaptability
  • Champion Technical Excellence
  • Accelerate Throughput

(Other places I see 12 totally different principles, since these were the nine in the book these are what I went with)

As I was reading I was wondering if these principles could be applied to the security arena?  I know most of you are thinking of course they can, I tend to agree.  The second question is are we?  Again, I know you are saying, "What, don't try to be stupider than you actually are Chad!  Of course we are!"

Really?

Let's start with principle one "Deliver Something Useful".  What do you deliver that's useful?  Reports?  Metrics?  How much impact do you think those actually have?  My guess, industry wide, is minimal (I am not trying to attack anyone's individual work if you took it that way, that want my intention).  To me something useful would be an easy to understand framework that IT can work within to ensure secure delivery of services.

"Wait", I hear the annoying voices in my head screaming, "What about ISO 27000, NIST, and CoBit?".  Well if those work for you more power to you.  If they don't you have to have something.  Something that is easy for IT to understand and follow.  Something that encourages cooperation instead of making security the enemy.

This same sort of exercise applies to all nine principles.  Or maybe not, maybe I am just blowing smoke out my butt.  Iterative Feature Driven Delivery could easily be do all the foundational controls of the CSC Top 20 and then go back and and do the next set.  It could also be update your framework quarterly as security and IT processes improve.  The idea is to return to first principles of security and close some of the holes that are caused by mistake, inattention or lack of caring.

Anyway, that's where I am at on this.  If you have ideas (assuming anyone besides the 27 extra personalities in my head ever reads this) I would be happy to hear them.  Also if you know of someone who has already done some work on this point me to them.

No comments: