Many cybersecurity professionals wonder how to implement Agile methodologies such as Scrum, XP (Extreme Programming), Kanban, and/or Lean on a cybersecurity project. While some cybersecurity professionals take the standard waterfall approach without even exploring the possibility of implementing Agile for green-field projects, others have successfully adopted Agile not just because of reduced project overhead but because of elevated productivity and employee satisfaction.
Agile Manifesto Principles
• Individuals and interactions over processes and tools
• Working software over comprehensive documentation
• Customer collaboration over contract negotiation
• Responding to change over following a plan
Professionals in the service industry helping clients with the Agile transformation often exclude Agile Manifesto principles in their planning. This could be because the Manifesto is closely associated with the software development projects.
While the former statement is true, the manifesto principles blend very well with the service, support, implementation and other non-traditional software development projects.
Which Methodology Should I Adopt?
The truth is, all popular Agile methodologies such as Scrum, XP (Extreme Programming), Kanban, and/or Lean can be adopted for cybersecurity projects.
For example, I have seen a Fortune 100 client leveraging Kanban for their CSIRT (Computer Security Incident Response Team) team. I have also seen cybersecurity professionals part of a Scrum and XP teams collaborating with software developers to build security in the product, instead of bolting security later.
Risk Monitoring and Controlling
Risk Management professionals have an untold advantage by adopting Agile because Agile provides a vast array of risk management tools. Following is a sample list of Agile Risk management tools:
• Risk reassessment in planning and retrospective meetings
• Risk audit in retrospective meetings
• Burndown chart and metrics analysis in review meetings
• Velocity analysis in review meetings
• Task boards and burndown chart review in daily stand-up meetings
Agile transformation and adoption for cybersecurity in an organization may take some time, courage and exploration; however, once adopted it’s certain to improve the quality of cybersecurity projects and project management.