In case you didn’t notice, we’re in the midst of an agile takeover. Organizations are sprinting toward fleet-footed management of the cloud and, yes, the entire IT infrastructure. Nigel Hedges is just one of many IT pros who believe agile is a broadly useful “set of methodologies and frameworks to get $h!t done quickly and efficiently.”
But what about agile threat response? By using evidence-based knowledge to combat existing or emerging threats, your IT team can respond and shut down these attacks faster than ever.
Applying the tenets of extreme programming and other flavours of agile software development can improve your data security—allowing you to react at the drop of a hat. In short, you’ll be able to stay one step ahead instead of one step behind security threats.
Wait—since when is agile infosec a thing?
There’s no shortage of threat intelligence, which Gartner defines as evidence-based knowledge that helps us make decisions. IT teams can rely on more real-time network alerts and insights from external vendors than ever before, but Gartner’s study revealed only 30 percent of companies currently apply real-time intelligence.
Organizations using agile management respond faster to changing customer needs. This can result in a spike in profitability as they quickly pivot and deliver. Agile tenants focus on delivering value fast and minimizing waste, which is why they’re useful for more than just software teams. Gaining the ability to spring into action in response to cyberthreats can make the difference between an isolated incident and a full-scale security disaster.
When you know you’re facing an actual threat as it occurs, your organization can contain the threat, protect classified data, and minimize your businesses’ risks. A few stressful minutes is better than learning months too late that a criminal organization gained entry undetected and stole all your data. Adopting tools from the agile methodology is a meaningful step toward a proactive security culture.
1. Get rapid feedback and rapid delivery
Rapidly delivering software features during development projects comes with serious advantages—specifically, protection from spending months developing an app the HR team can’t actually use for payroll processing. Delivering features quickly to gain feedback protects against failed development projects, and the same fast loops can protect you from epic security face-plants. WIRED‘s Thomas Goetz defines the idea of agile rapid feedback cycles with four distinct characteristics:
- Consideration of insights
- Recalibrating action
What does this mean in practice? Not spending the months after passing your PCI assessment working on other projects while your compliance falls apart. It also means exceeding the bare minimum requirements for once-daily log reviews and switching to intelligence tools that notify you when the bad guys come knocking at your door in real time.
2. Don’t stop defining risk
A few years ago, security expert Barry Kouns redefined data-related risk as the combination of the consequence of an event and the probability of the event. For the math nerds in the room, Kouns’s idea can be spelled out with simple multiplication: Impact x Threat x Vulnerability = Risk.
If your organization’s printers have limited built-in security, your risk of being negatively impacted by generic malware is likely high. On the other end of the spectrum, facing the business continuity risks you’d deal with if your cloud provider’s nationwide data centres experienced simultaneous failure is fairly low.
The agile method broke almost all the rules of waterfall software development. It introduced the crazy idea that project requirements can be changed after developers have already written code. The same rule-breaking idea about redefining risk at any time can revolutionize security. Chances are, you’ll think about vulnerabilities differently when risk is a printer in your mail room instead of a vague threat of “bad guys” or “evil hackers.”
3. Use rapid reassessment
It’s hard to ignore problems in an environment where agile’s done correctly. Whole-team collaboration usually requires daily stand-up meetings and retrospectives. With all that transparency, no one can really hide a mistake for long. The idea of whole-team honesty—when combined with the agile focus on aligning people and processes into action—results in a security environment where nothing gets forgotten.
In practice, rapid reassessment can take shape at your organization in a number of ways, including 15-minute daily stand-up meetings, where you track your security status against metrics. It could also equate to encouraging honest communication with your colleagues when security tasks are falling off your plate or making the brave—and important—case to your CIO when you need training. Most importantly, rapid reassessment prevents painful retrospectives about how you could have avoided a security incident.
4. Remove artificial barriers
There may be more of a barrier between parts of your IT team than you think. Few organizations conduct security testing during development, partly due to talent shortages—there’s an average of one application security expert for every 80 devs.
Removing artificial barriers between security and DevOps requires more than just communicating security findings and risks. You may need to beg your boss to hire another security tester. Integrating real-time security knowledge into your homegrown applications is an idea worth chasing.
5. Update your policy continuously
Depending on your compliance requirements, you may only be required to update your security policy once a year. A full-year, out-of-date security policy is your worst nightmare. You can suffer from policy-induced problems, ranging from no standardized procedures to loads of shadow IT.
Agile threat response means speed and, more importantly, action. As your team learns through active risk definition, you should put your findings into policy. Believe us, it’s a lot less painful than the alternative.
Anyone who tells you agile is a cure-all for every business problem is probably trying to sell you something. Tools—like rapid feedback cycles—can’t solve every problem you face, but they can translate data into action. Ultimately, that’s what you can control. You can’t get rid of every cybercriminal, but you can show up and commit to improvement.