Updated: Mar 19, 2020
This is the final post in our 2019 National CyberSecurity Awareness Month series.
I’ve been involved in “Agile” and its derivations since it became “a thing” in the 90s. I've had the opportunity to work in and around Agile, Scrum, and SaFE from start-ups through enterprises. This includes 4 years within the Microsoft Trustworthy Computing Team (TwC) building tools and "evangelizing" Agile security and privacy. I’ve even done some Extreme/pair programming during my hands-on developer days and am a staunch advocate of Agile development approaches such as DevOps and “Continuous”. However, I’ve never gotten overly religious or prescriptive about the methodologies and details of the practices. This doesn’t mean I don’t have strong opinions, but rather that I prefer to take the tenets and principals I have found to work, tailor them to an organization or business, then let the details work themselves out organically; mostly – guard rails and nudging is usually required to keep things out of the weeds and minimize delays or stalls. [The same is true for Security Development Lifecycle (SDL) implementations which can support any methodology.] I’ve always been a fan of the Agile tenets of hierarchical organization of work (themes, epics, stories, etc.), shorter duration iterations, and encapsulation of the increments (e.g. “releases”) but more so its focus on building and empowering teams, and its “brass ring” – agility.
In the modern world, no one can really argue the value and necessity of agility. But they can argue the details of Agile seemingly indefinitely. Agility does have trade-offs and costs, but it has solid value and there are few downsides in a balanced approach. Agility is a requirement in (cyber)security or other aspects that manifest and evolve rapidly such as personal safety (healthcare), finance, infrastructure, or privacy. A great take-away from this year’s National Cybersecurity Awareness Month (NCSAM) is the awareness of where agility is a MUST (versus a SHOULD) factoring in your needs and the value propositions. The MUSTs typically fall into the latter NIST Cybersecurity Framework phases (Identify, Protect, Detect, Respond, and Recover) but add value throughout. Attackers work with extreme agility trying to outpace “us” and are embracing methodologies and technologies that can keep them a step ahead (e.g. machine learning). So, “we” must do the same!
Cylidify is available to help and we will continue to advocate agility in cybersecurity and privacy across the NIST phases while focusing on MUST have scenarios in encryption, key materials (including certificates, tokens, and other shared secrets), and authentication-authorization (identity services, MFA, etc.).