In most companies, traditional projects usually apply the waterfall model. In this model, the Project Manager aims to define project phases around a fixed scope or certain features.
These phases run indirectly and sequentially up to a projected end that is usually defined by time and costs.
The larger the scope, the more difficult a waterfall model is. All too often these kinds of projects run out of budget and time as both of these variables are impossible to estimate bindingly.
In my experience, I’ve rarely seen any successful waterfall project design. In fact, there are interesting studies around Agile vs. Waterfall, like Ambysoft’s 2013 Project Success Rate Survey or PWC’s 2017 Agile Project Delivery Confidence Study, that clearly state that 64% of agile projects are successful whereas waterfall projects only reach 49%. I personally still like the model because it allows for security to be easily integrated within an early design phase as well as close to the end in the testing phase.
Is Agile the better approach for a CISO?
The main issue with the model is that it is driven from the top with the underlying assumption and mindset that the senior manager knows it better. I consider this a huge misconception as an idea is driven to implementation best where most information is and this is most often at the basis, where the real work is done.
That’s why I believe that agile methodologies follow a better approach for driving a security program efficiently and effectively. It took me a few years of experience to come to this realization, to be honest.
Following an agile approach for security means that you as a CISO are a senior manager and will need to give control where most information is. And that is NOT with you!
There’s an inspiring story from David Marquet about Leadership. It does not speak of agile but of intent-driven leadership that follows the same principles.
Waterfall vs. Agile
Let us take a closer look at the two approaches. When using the waterfall approach, you know exactly what you get (from the view of the senior manager). There are macro-milestones, the project manager’s limited competencies, and you steer the project from an umbrella view. As features are fixed usually costs and time differ extremely from the original planning.
A big difference between waterfall and agile is that with an agile approach, usually budget and time are set first. Based on that, scope and features are incrementally estimated and re-adjusted in an iterative way. To be efficient, the project is broken down into micro-phases, micro-features and micro-feedback. These micro-iterations allow very good planning, re-adjustment and implementation of features. On top of that, progress is provided as transparent as possible to stakeholders and project members. To achieve that, the project manager needs to take micro-decisions in every iteration which means that this project manager has all the competencies needed to do that.
Most technology- and development-driven companies apply agile methodologies as these are highly effective and create efficiency - or let’s say uncover laziness and overhead. There are native SCRUM, SAFE, LESS and other frameworks. If you find these in your organization, a top-down driven security program will fail for them. Here is the thing: YOU AS CISO HAVE TO ADAPT. Then apply the same methods for security. Consider security as a necessary feature for the planning of sprints.
Whilst doing that you will realize that none of the existing frameworks include security or only touch it slightly.
Choose the right metrics
An essential part of doing agile cyber security are metrics. If you pick the right and meaningful metrics that matter for your senior management as well as metrics that matter for your employees, you will be able to do data-driven security.
By going agile and following a more bottom-up approach you need to empower people to become their own CISO for their area of profession. At Tamedia, consider all of the above, we defined our very own agile cyber security program that makes use of all the agile methods, tools and mindset.
What comes next?
I invite you to follow our blog series and to learn how TRUST, a DIFFERENT LANGUAGE and LESS CONTROL all come into play. I expect you will be inspired to sharpen your profile of a LEADER, ENABLER, CONSULTANT while staying the CISO who instructs and define the minimum boundaries - well, the latter, sometimes at least.
Coming up next are several deep dives in which I will share core elements of the Agile/Modern CISO approach.
- Deep Dive: Security User Stories and Epics
- Deep Dive: Leverage Bottom-up
- Deep Dive: Risk Tower
- Deep Dive: Become data-driven / Metrics
- Deep Dive: CISO automation and the CISO Bot
- Deep Dive: User-Focused Security
Following these, we will continue with a more technical part, the Security Automation or Shift Left approach for DevOps. In conclusion of the whole series, you will get a glimpse at our Zero Trust Architecture called BeyondCorp which we apply throughout our company.
I hope you enjoy this series and in the spirit of agile, I welcome your feedback and comments along the way.
Andreas Schneider, Group CISO Tamedia