The classical approach to security is no longer efficient. We cannot design security the way we did ten or fifteen years ago. However, we still can change our approach. We can make our structures and processes lighter. Read on to see how we can instil agility into our security activities.
In 2001 the thought leaders in the software industry published their Manifesto for Agile Software Development. They proposed twelve principles of the agile software revolving around the following values:
- Individuals and interactions over processes and tools,
- Working software over comprehensive documentation,
- Customer collaboration over contract negotiation,
- Responding to change over following a plan.
Throughout the years, the agile approach helped the organizations to revolutionize their software development efforts. It was an ideal answer to changing business requirements, a multitude of variables influencing project outcomes and increasing complexity of modern software. It was a splendid solution that helped to shorten the product development lifecycle that was expected by the market.
We can also observe these conditions in the cybersecurity field, which heavily relies on new technologies. Best practices for secure development do not keep up with the speed of agile or continuous software delivery. Cloud solutions and mobile devices expanded and demolished our security perimeters. Our businesses rely more on massive sets of unstructured data spread across numerous servers, applications and endpoint devices. The data freely flows between various users, organizations, countries and continents. There are no centralized systems anymore. There are no bastions we can protect. Perimeter-centric approach to security is now outdated.
Yet, in the case of many organizations, the approach to security did not change over the years. It is still too heavy, too complicated and too hard to maintain. It is inflexible, and it does not align well with new expectations of the business.
A better approach is to embrace the change that is happening. I believe we can take small steps to make our security frameworks more flexible, focused on results, collaboration and individuals. Simply speaking, agile. Let us have a look at how we can translate agile principles into security concepts and what changes we can implement to embrace agility.
People over processes and tools
We certainly need a basic set of processes to run our business and security activities in some organized and repeatable fashion. We also need security tools to automate mundane security tasks. It might be hard to imagine security without technologies that help to protect our networks, applications and information we process.
But they have to be useful for the people who are paying for them – internal clients of security services. Not the other way around. How can you focus more on them instead of tools and processes? Here are a couple of ideas.
Table of contents
- Simplify security processes
- Simplify security solutions
- Invest in user awareness
- Use audience centred approach
- Use simple language
- Do not implement “firewalls”
- Promote positive behaviors
- Invest in your team
Simplify security processes
Evaluate your security activities or controls you added to business or technology processes. Try to limit the number of steps and people engaged. Assess each of them in terms of costs and benefits. In the security world, the apparent benefits might be the protection of company reputation, reducing costs of incidents and making sure the company is compliant with regulatory requirements. The cost of controls might be an increase of process complexity leading to delays and additional spending or lost opportunities. Try to judge both of them and compare, if possible.
Businesses often perceive the risks as something virtual and hard to measure, but they easily track their capital expenditures and operating expenses. Because of that, many companies tend to reduce spending of real cash on security capabilities and hope that virtual risks will not materialize. To avoid this, you can use lean management or similar methods to reduce the administrative overhead of security controls.
Simplify security solutions
Try to select solutions which do not require constant user interaction. Popups, displaying each time we send email outside the organization, confusing information classification selections each time we create a new document work well in theory. However, in practice, they lose their value quickly. People stop paying attention to them, and those utilities start to annoy them and slow them down during daily tasks.
Invest in user awareness
Many protection technologies fail because of people mistakes. Configuration errors happen each day and attackers exploit them. No solution detects 100% of malware. Majority of successful cyber attacks start with social engineering campaigns. Therefore we cannot rely only on processes and tools in the cybersecurity world. High level of employee awareness still has an advantage. Build that on every occasion. Use modern approaches by conducting exercises and simulations based on real-life examples.
Use audience centred approach
Attention spans of our brains are getting shorter. The number of tasks our employees need to complete every day is increasing. No one has the time anymore to read emails you need to scroll on your screen a couple of times. No one has the time to concentrate on lengthy e-learnings full of wordy presentations.
Save your time and save the time of your audience. Adjust to the needs of younger generations. Use visual communication where possible by developing infographics and other forms of engaging content. Use shorter forms. Try to sell two or three most essential ideas instead of 10 rules for managing user passwords and 25 requirements for using mobile devices in a single message.
Use simple language
As security professionals, we may use jargon which helps us to express our ideas briefly. But this is not the way we can communicate with the business. If you try to explain your information classification and handling guidelines on 30 pages filled with long paragraphs of legal terms, this is not going to work. Use simple language that can be easily understood by an average employee in your firm. Follow this rule in your policies, standards, instructions and all communication.
Do not implement “firewalls”
In multinational corporations, it is beneficial to use a service model for security operations and transfer them to a shared service centre. To track and measure the workload, we implement ticketing systems. They help to establish and measure key performance indicators related to service quality.
However, this approach also changes the thinking of team members behind the service desk, which becomes a form of human firewall. Very often, people stop communicating effectively. They tend to exchange long chains of emails or comments in the software platform. Sometimes it takes weeks to resolve an issue that could be closed by having a five-minute phone call or web conference. And now imagine a frustration on the other side. It has nothing to do with quality which the software implementation intended to improve.
To avoid that scenario, have a good look at your cases that you plan to migrate to a service desk solution. Do not use it for matters that could be resolved faster by simple human interaction. Establish multiple communication channels for your clients. Build a culture of communicating effectively within your team. If possible, use service desk requests only to catch necessary approvals and track work that needs a proper audit trail. When designing request forms, keep user experience in mind.
Promote positive behaviors
In some organizational cultures, people associate security with hindering operational activities and punishing people for mistakes. But you can slowly and patiently influence your culture. You can always start recognizing expected performance – returning pen drives found in office spaces, informing about security incidents, reporting phishing attempts and other behaviours manifesting interest in protecting your organization.
Invest in your team
When focusing on internal or external clients, we cannot forget about our teams. Invest in their education. Give your team members different assignments that allow them to stretch. Encourage them to go for job certifications. Not for the sake of getting another piece of paper but as a means to expand their knowledge. In-depth understanding of risk management, governance and security architecture is not enough anymore. If we do not understand how new technologies operate, we cannot provide feasible recommendations. Some security best practices that were valid five or ten years ago do not work anymore as intended.
Certifications help to set measurable objectives. There is a deadline for the exam and the specific material that we have to absorb. Even better, if a practical hands-on project experience follows this. Try to combine those approaches, whenever possible.
Summary
I hope that these ideas will help you to start a discussion within your teams about agile security. I hope that these discussions will be a good starting point for implementing more flexible and lean security approaches. If you find this advice useful, please share it with your colleagues using social media buttons below.
