Implementing security the Agile way

Auteur
Sander Nieuwenhuis
Datum

As Security Consultant at Mirabeau - a Cognizant Digital Business, I support our customers implementing the correct privacy and security measures into their digital platforms. Our standard approach uses risk profiles, which trigger proportional best practice measures like security policies, cookie banners and security scans.

When personal data is processed in the digital platforms, we always organize a workshop, explaining the need for privacy and security measures, discussing our approach and requesting any additional requirements in addition to our best practices. Most of the time, clients don’t provide any additional requirements. And that is still surprising!

You would expect organizations to have some minimal requirements for their online platforms, based on their own internal policies, to add to our best practices. Most of the time, organizations do have internal security and/or privacy policies, but these are often not directly applicable to online environments. I think that’s because these policies are aimed at internal systems and employees, and not at custom, agile, digital platforms.

The two just don’t fit. Old school security policies talk about technical firewall configurations, which are not applicable to cloud environments. Or employee password policies, which do not fit for users of online services. So policies and rules need to be translated from a conservative datacenter approach into an agile cloud approach. And that is exactly what I did for one of our customers.

In this blog, I would like to share a few lessons learned from this project (so far).

Implementing agile security

I am assisting one of our customers as it implements an agile version of the necessary corporate privacy and security rules. We started in the first half of 2019 with a greenfield situation, setting up a security and privacy management organization and basic privacy and security rules. Now, in the second half of 2019, we started the first run of compliance checking with these rules. This will complete the first ‘plan-do-check-act’ cycle.

The five main learnings of the first half of 2019:

  1. Integrate Privacy and Security. Due to privacy legislation (GDPR) and people’s growing awareness of what is happening with their data, privacy is becoming a hard-to-neglect topic. Especially for organizations that rely heavily on privacy data to do business, like retail platforms. Privacy is a great driver to get things done, and security is the way to achieve that.

  2. Adopt widely acknowledged standards. You cannot make security up. Well, maybe you can, but it will take a lot of time and you will need to extensively explain why you did things in a specific way. A better approach is to adopt standards and use them in an agile way. We used ISO 27001 as the security standard for security organizations and used the NIST Cybersecurity Framework to get things going. Both are generally accepted, and both contain the minimum controls/actions every organization needs.

  3. Plan for six months at the time. To get things going, you do need a plan. We used the NIST Framework: Identify, Protect, Detect, Respond, Recover to guide our plan. And we’re on our way to growing from Tier 1 (partial) to Tier 4 (adaptive = agile!). The dependencies were listed, the activities plotted in time. But they were executed as user stories, with the aim of being as agile as possible. Why plan six months at the time? Because we couldn’t oversee a longer period. And in an agile organization, you probably can’t, either. ;-) But we did need to present the Management Team and the Risk Team with a concrete approach for privacy and security.

  4. Make ISO 27001 specific. You can’t give everybody in the organization a copy of the ISO 27001 document and tell him or her to implement. First of all, nobody is going to read more than a few pages about security, even when told to. And second, only parts of ISO 27001 are really applicable to the specific reader. So we plotted the contents of ISO 27001 to specific roles in the organization, like security officer, business owner, product owner, DEVOPS-team, IT manager. Then, we only presented the specific security rules relevant to the specific role. So teams are only confronted with that part of ISO 27001 rules they can control. Instead of a massive document, each role received 1-2 screens of combined security and privacy rules.

  5. Why and what, not how. Want to keep an agile organization from functioning and remove all possibilities to innovate or to be efficient? Instruct employees on how to do their jobs. For optimal performance, you need to tell the organization why security is important and what you expect of the individual employees (see previous learning). Trust them to choose the most fitting solution to implement the rule, and be very careful not to tell them how. Sometimes there are exceptions to this rule. For example: if you use the company IAM system for access rights or use a specific security scan tool to perform security scans, you should also provide instructions for how to properly use these systems. Otherwise, hands off the ‘how’. Just concentrate on the ‘why’ and ‘what’.

In the current digital age, security is not an option. It is a necessity. But with a strong plan and a strategic approach, it doesn’t have to be a burden, even in an agile organization. Any organization can get a grip on security, and protect not only its own data, but also the data of every customer with which it interacts. I hope these learnings will help your organization on its way. Need help or want to know more? Please contact me at 020 - 59 50 550 or at snieuwenhuis@mirabeau.nl

Tags

Security Operations