Applying Agile to Security In Practice

Lots of people like Agile, and lots of people are a bit fatigued by the talk about Agile. In a sea of people who pay it lip service and don't do it right, I thought I'd give it a crack.

So let me start by saying that this is a Work In Progress discussion.. if you're over Agile, just skip - no worries, we can still be friends.

However, if you get the philosophy behind why Agile continues getting traction, read on... maybe you can assist me on my journey! I am very open to feedback.

Brief Recap

After getting certified as an Agile PM Practitioner, I set out to see how I could apply what I learnt to an actual IS program. I felt in my heart of hearts that the philosophy and major constructs could be preserved, but there would have to be some alterations to fit into a security team of finite resources.

First, let's take a poke at the general flow of a project:

The Agile Project Management Handbook v2 is a much better resource to learn Agile but the image above is a handy reference.

The general idea behind Agile Projects (or any project for that matter):

• Projects have a beginning, we justify why we want to do it
• We work out if they make sense, and what are the main drivers/objectives/requirements
• We flesh it out a bit more, still work out if it's worth going
• We do sh1t and create outputs
• We arrive at a final deployment, and kick back, assessing whether it was worth it.

Traditional Project Management says that we need to deliver on FEATURES! Time, Cost and Quality may change, as many factors both internally and externally change.

With Agile Project Management, it's very important to deliver on time, deliver within budget, and deliver on what you said you'd do. Major features are still vital, but there's a focus on prioritization - what really needs to be delivered? What are "Should Haves" and "Could Haves" as compared to the priority "Must Haves" (MoSCoW)

I set out to align my projects, I have various steams of work with my Information Security Manager, with various outputs both big and small.

There are a few products (documents) that can be made during any of these projects, but the mandatory ones are:

1) Prequisite Requirements List

2) Delivery Plan

In the next post, I will expose a little bit more about my Agile Project timeboxing and outputs. 

Feedback always welcome!