CIOReview
| | December 20209CIOReviewis reasonably safe to assume that we have all been part of a project that went of the rails or didn't meet expectations. In many of those cases it can take months or even years to recognize that a project isn't going to deliver on its promise. The first step we can take to improve this problem is breaking work down into smaller components. A reasonable objective is to break down any project into two-week iterations of work. What will you do in the next two weeks? It's a small objective with clearly defined acceptance criteria. How does focusing on work in two-week iterations help? In security, more than most disciplines, change is a constant. In large projects requirements will change and shift over time. Looking at work in smaller chunks allows us to more dynamically respond to changing conditions in the environment. It also enables employees to more clearly understand deliverables and objectives. These benefits are more fully realized by taking the second step in adopting Scrum practices, which is creating a tight feedback loop. Every two weeks our Security Architects, management, and key stakeholders get together to review all work being completed in a two-week chunk. Each employee presents for 5 minutes on their progress in the last two weeks, and highlights any challenges they encountered. The objective of this meeting is to provide brief tactical insight into an effort, and provide clear feedback as to if the project is proceeding appropriately. Using this method employees are accountable for their results, and it ensures that the right work is always happening at the right time. This methodology creates an efficient mechanism to respond quickly and consistently to new and emerging threats. For example, what if you discovered a critical vulnerability in a key system within your environment? Fixing a vulnerability in a key system can be complicated and fraught with risk of outages or downtime if its done incorrectly. Breaking that effort into two week cycles of work, and regularly reviewing progess, ensures management maintains visibility into progress and that any hurdles are overcome quickly. We've used this process to run everything from Red Team exercises to large product implementation. For example when implementing a new Data Loss Prevention system, we broke the project down into numerous small chunks of work. There are a variety of planned two-week sessions of work to do things like: build out a rule for a specific type of sensitive data, develop a report for executives, and create a new policy for a certain type of threat.Agile processes can seem intimidating and complicated to take on. The approach laid out here is intentionally simplistic. Start breaking your work into small iterations, and create that tight feedback loop. You will very quickly find you are getting better results on the work your team is doing, and the speed at which they can work will accelerate very quickly. Once you have that momentum started, then you can start to read and learn more about Agile methodologies like Scrum. There is no one right way to adopt processes like this in a Security team, but the benefits of even getting started are compelling. Brenden Smith
< Page 8 | Page 10 >