Cover Feature Cyber Security
Culture Shift of IT security in agile world By Gerald Pang About the Author Gerald Pang has 17 years experiences in Information Security Management across various Industry working closely with business leaders, with specialization in IT security, GRC and Data Privacy. He is Certified Information Systems Auditor (CISA); Certified Information Security Manager (CISM); Certified Information Systems Security Professional (CISSP); Certified Information Privacy Manager (CIPM) and Certified SAFe® Agilist (SA) with a Master in Information Technology from Queensland University of Technology
Agile software development is becoming more prevalent in the digital evolution of today’s world. Culture shift in Agile is meant to help organizations to be more efficient and effective in product development, in order to meet the demands of customer or end-user. Through Agile, teams work collaboratively and provide fast development and delivery of a product. While the transformation of software development has progressed, the management of information security and risk organization in such environment is not defined and adapted to support such an environment. Based on SAFe Agile Principles by Scaled Agile, this article will suggest 4 culture shift in IT Security organization may consider in order to adapt to the recent trend of Agile Software development.
Integration of Agile and Security mindset In line with the principle of a mindset “Apply system thinking and to assume variability & preserve option”, the
60 | Cyber Risk Leaders Magazine
first transformation that an organization may consider is to involve IT Security as part of the Agile team. Most of the time, IT Security will only involve either before the start of development or after the development is completed. IT Security should be part of the team to provide guidance and determine the security controls to be added for the development iteration. As IT security cuts across technology and business functions, involving IT Security in synchronization events will provide clarification on security requirements. This will enable the different platform teams to be aligned on security requirement to be implemented at various levels of the solution. IT Security being part of the Agile team, will also mean that they too need to assume variability. This means that IT security should be aware that the product requirements and risk will change throughout the product development iteration. The dynamic development environment requires IT Security to consider the ever-changing risk landscape and determine the IT controls to be added within a development
