In Agile transformations, it's common to start small with a couple of pilot development teams to gain some experience before implementing larger organizational changes. While sensible on the surface, it’s a recipe for disaster because it threatens the entire transformation, as well as the organization’s security.
Eventually, security and development need to dance together, so it’s best if they both learn the steps together, right from the beginning. Otherwise, once the development teams gain velocity, security and incident management become an impediment, and there’s likely to be a few stumbles on the dancefloor.
Classical security processes are often too slow and incompatible with the Agile way of working, requiring pentests that take two months to complete, multi-worksheet excel lists, and twenty-page questionnaires for every release. Meanwhile, incident management often begins with incident-response teams conducting the triage and root-cause analysis, without involving the development teams. Two departments doing their own thing isn’t the same things as dancing together. In Agile environments, implementing the required changes at the end is too late, because the environment can be changed in the meantime, creating too many conflicts.
When departments get inundated, teams will find workarounds. It’s the equivalent of a traffic jam — the potentially fast cars are forced to drive slow because the roads are too full or blocked, and they start looking for alternative routes. The solution is simple: involve all the required expertise as early as possible and implement better feedback loops. But to do this, you must first overhaul your existing security and incident management processes.
It takes time to change a way of working. You need to experiment to find out what works best, and changing while under stress is never the best approach. Aligning processes from the very start of any Agile transformation may prevent disasters. Identifying
possible roadblocks early on and adapting them into a more fluent process ultimately improves the entire organization. So, instead of the traditional scenario, you’ll gain a series of advantages:
- Deploy to production when you want
- Real-time insight in compliance
- Know exactly which systems are online and why
- Mitigate incidents before they have end-user impact
- Fretting about security problems time-consuming pentests
- Huge, opaque lists and worksheets
- Outdated overviews and databases
- Reacting to a visible outage
As soon as the first pilot teams start working Agile, start discussing the anticipated velocity increase to prevent a deadlock. Before teams even scratch their full potential, look at how to speed up impediment-causing processes.
The Information Technology Infrastructure Library (ITIL) advocates continuously reviewing and improving your security, service, and management processes based on seven principles:
1. Focus on value; generate value directly or indirectly.
2. Start where you are; preserve good capabilities and improve where needed.
3. Progress iteratively with feedback; improve often in small steps and measure your way forward.
4. Collaborate and promote visibility; transparent work in the teams, with the stakeholders and partners.
5. Think and work holistically; it’s an end-to-end responsibility that includes the service and the SVS.
6. Keep it simple and practical; the right size and use of processes, tools, resources matters.
7. Optimize and automate; manual work is a bug. Reserve human intervention only for necessary activities.
Changing these processes is not something Agile teams can do independently. It requires departments like security and IT service management to cooperate early on and design new processes that allow for a more continuous flow. In other words, it takes two to tango!
Want to know more about this topic? Download and start your personal change tomorrow. And join us for the Future Friday, the 1 day hands-on conference to inspire you to set the next step in agile.