Information Security Strategy requires a new, more agile and adaptive approach where the security capability can evolve and change incrementally. If the aim is to replace rigid, segmented solutions with adaptable components that both consume and offer services around a consistent infrastructure, the typical waterfall approach to project management based on PRINCE 2 does not provide the required flexibility. The mission for the Information Security, therefore, is to seek ways of using technology to make radical improvements in business process agility and responsiveness (hard change capabilities), while developing new skills and knowledge to support and champion the change (soft change capabilities).
In terms of soft change capabilities (skills and methodologies), the Agile approach will move the emphasis on people working together to address security challenges putting the organisation at the heart of the development process.
With the Agile approach new multidisciplinary teams will work together to meet the security objectives: these teams are called Tiger Teams and include subject matter experts who have the knowledge and the authority to make design decisions on the main functionalities of the different systems.
Of course this is a major shift for many organisations as the traditional governance model has been based on the use of rigid governance aligned with the Structured Systems Analysis and Design Methodology and on PRINCE 2 project management methodology. Therefore it is necessary to build the necessary skills and learn while doing so to develop champions who can act as internal consultant. One mistake to avoid is to think that Agile is just the use of the existing design process (preliminary business requirements, detailed business requirement, high level technical option and detailed design option and implementation plan) without governance or documentation: this is the recipe for a disaster. The suggestion therefore is to use small projects in the group of High Potential and Strategic to learn this new philosophy. The idea is to use some non critical projects and or processes for this learning phase: the process should be quite small and not linked to any specific strategic or key operational capability. At the same time it should require the leverage of knowledge across different fields. This multidisciplinarity fits well with the essence of creating Tiger Teams. Some organisations will use external consultants to help support the process and introduce some tools (like MS SharePoint) to facilitate the collaboration and the information sharing. Other collaborative tools supporting this process should be considered like to use of instant messaging systems.
A potential barrier to remove is the rigidity of the traditional security assurance process. For this reason a new security assurance process has to be agreed with the key stakeholder (assurance teams).
The development of the agile capability has, therefore, to be considered as one of the strategic project, however we do not think that this should be structured as a formal initiative as this will create unnecessary layers of hierarchy and internal politics. To allow Agile to flourish while the project is developed, I suggest the following approach:
Set realistic expectations: At the beginning organisations do not have the skills and capabilities to develop projects according the agile methodology, as a result small non critical project have to be selected. It is likely that these projects will suffer delays and may fail as a result of the additional risks introduced by the lack of agile skills. Therefore a culture of no blame has to be built around and inside the selected project and or process: people will be evaluated for their contribution to the advance of agile knowledge in the organisation.
Find the right balance between governance and agile: Inside the project regular gate reviews should be held. These reviews will provide the opportunity to understand where the project is heading and what functionalities are delivered. Therefore while the review date will be fixed, the functionalities analysed at these governance meetings will change.
Create the right team with the balance of skill sets: The team working on the project has to be co-located and have all the skills necessary to progress the development of full working solutions. Although additional funding is required to temporally relocate the staff in the same location, the benefits delivered by this project will cover and exceed these costs.