Does The Digital Enterprise Require Agile Security?

They established enterprise-wide policies and supported them with standards. They have emphasized the importance of governance as a counterweight to individual development teams’ tendency to prioritize time-to-market and cost over risk and security. The have built security service offerings –requiring development teams to create a ticket requesting service from a central group before they can get a vulnerability scan or a penetration test.

All of these actions have proven absolutely necessary. The lack of which would have caused more cybersecurity breaches and many other violations that would have been more severe.

However, there is a basic tension between the actions above the emerging digital-analytics-agile-DevOps-cloud operating model many enterprises are seeking to adopt. As companies seek to leverage public cloud services, they often find that security is the “long pole in the tent” in setting up an application on a public cloud infrastructure. At one financial institution, development teams expressed frustration amounting to anger in the time it took the security to validate and approve incremental items in their cloud service provider’s catalog for production usage. Developers at other institutions have been frustrated by the fact that they can spin up a server in minutes, but must create a ticket and wait for weeks for the vulnerability scan required to promote their application to production. Again and again, IT organizations are finding that existing security models do not run at “cloud speed”–and are not provided with enough specialized support to developers on issues like analytics, RPA and APIs.

This has resulted in the creation of a tension between development and security teams that leads to missed business opportunities due to the delays in getting new capabilities to market. In some cases, it results in an increased vulnerability as development teams bend the rules to work around security policies and standards.

AGILE SECURITY

At least a few sophisticated IT organizations are starting to make the transition to an agile security operating model. In most of these cases, existing programs that are moving into an agile infrastructure have started to pull security along with them and are encouraging the adoption of agile practices. What does agile security look like?

• Move from ticket-based to API-based interface for security services. Agile security organizations seek to automate every possible interaction so that development teams can perform vulnerability scans, adjust DLP rules, set up application security, and connect to identify and access management services via APIs.

• Organize security teams around into scrum or scrumban teams managing developer-recognizeable services (e.g. IAM, DLP).

•Recruit development team leads to serve as “product owners” for security services–just as business managers serve as product owners for customer journeys and customer-oriented services.

• Explicitly manage “planned” and “unplanned” work, in order to create capacity to focus on automation and API creation.

• Shift talent model to incorporate more E-shaped skills sets, inclusive of integrative problem solvers and automation/ development skill sets, in addition to depth in security technologies.

Among analytics, RPA, agile
, DevOps and cloud, enterprise IT is evolving rapidly in exciting and value-creating ways– and this evolution is causing a natural tension with existing cybersecurity operating models. While it is still early days, adopting agile security might just be the most effective means to protect the institution while also supporting the business’s and IT’s innovation aspirations.

See Also: The Cyber Security Review