Most technology- and development-driven companies apply agile methodologies as these are highly effective and create efficiency - or let’s say uncover laziness and overhead. There are native SCRUM, SAFE, LESS and other frameworks. If you find these in your organization, a top-down driven security program will fail for them. Here is the thing: YOU AS CISO HAVE TO ADAPT. Then apply the same methods for security. Consider security as a necessary feature for the planning of sprints.
Whilst doing that you will realize that none of the existing frameworks include security or only touch it slightly.
Choose the right metrics
An essential part of doing agile cyber security are metrics. If you pick the right and meaningful metrics that matter for your senior management as well as metrics that matter for your employees, you will be able to do data-driven security.
By going agile and following a more bottom-up approach you need to empower people to become their own CISO for their area of profession. At Tamedia, consider all of the above, we defined our very own agile cyber security program that makes use of all the agile methods, tools and mindset.
What comes next?
I invite you to follow our blog series and to learn how TRUST, a DIFFERENT LANGUAGE and LESS CONTROL all come into play. I expect you will be inspired to sharpen your profile of a LEADER, ENABLER, CONSULTANT while staying the CISO who instructs and define the minimum boundaries - well, the latter, sometimes at least.
Coming up next are several deep dives in which I will share core elements of the Agile/Modern CISO approach.
- Deep Dive: Security User Stories and Epics
- Deep Dive: Leverage Bottom-up
- Deep Dive: Risk Tower
- Deep Dive: Become data-driven / Metrics
- Deep Dive: CISO automation and the CISO Bot
- Deep Dive: User-Focused Security
Following these, we will continue with a more technical part, the Security Automation or Shift Left approach for DevOps. In conclusion of the whole series, you will get a glimpse at our Zero Trust Architecture called BeyondCorp which we apply throughout our company.
I hope you enjoy this series and in the spirit of agile, I welcome your feedback and comments along the way.
Andreas Schneider, Group CISO Tamedia