 back to blog

Move fast, break security: why CISOs must push back against Agile IT

The Masked CISO
December 16, 2021
Please note that this is an automated translation. For the most accurate information, refer to the original version in English.

Agile is about as buzzy as IT buzzwords get. From a well-meaning effort to enhance software quality and delivery speed, it’s been increasingly mis-sold over the past two decades as a panacea to cure all IT ills. The methodology prioritises autonomy, speed of delivery and a “move fast, fail fast” ethos, which is enough to make any CISO grimace.

As the Agile dogma continues to spread, it’s our job as dispassionate security leaders to push back.

Agent of change or agent of doom?

Agile has its uses. As an iterative approach to software development, it can help teams speed time-to-market and remove roadblocks. It can be particularly effective for small organisations and teams. But it doesn’t scale well, and it doesn’t like complex heterogeneous environments. It certainly won’t turn a failed delivery team into an effective one.

Yet Agile is increasingly being adopted as a technology wide operating model—to drive transformation everywhere, from helpdesks to datacenters. Evangelising CIOs are egged on by a business that doesn’t understand its nuances. It’s said around half of businesses have been using Agile practices for transformation for at least three years. But is it always appropriate?

Just say no

I’ve worked with numerous FTSE 100 CIO teams in the past who say: “We’re going Agile”. They really mean: “We’re autonomous now so we don’t need to interact with security and are opting out of corporate governance.”

Another classic request: “Can you give me a risk acceptance/security exception?” which could more accurately be translated as: “Can you compromise security to help me to meet my Agile delivery objectives?”

An appropriate response from the CISO would be: “Of course, as long as you’re prepared to take full responsibility when it goes wrong.”

Security must be accepted as a mandatory functional requirement of any project. We all know building it in by design at the outset is cheaper, easier and safer than retrofitting. Yet it’s astonishing how many Agile projects have “security approval” as the last task in the sprint which inevitably causes delays.

Basic regulatory compliance is virtually irrelevant in today’s threat landscape. Instead, we need to test with capable tools and, where appropriate, independent red teams. CISOs need tools that can closely monitor environments, mistakes, and misconfigurations to mitigate risk effectively. The wider business must realise that a product is not complete until all security requirements are met.

The reality is that, as CISOs, we are the conscience of the organisation. For Agile projects to succeed, we may need to slow things down a bit and ask some difficult questions. Sometimes we need to question the dogmatic faith of many CIOs and their teams.

It’s OK to be the bad guy. Say no to Agile when better common-sense approaches exist.


Want to learn more?

Vectra® is the leader in Security AI-driven hybrid cloud threat detection and response. The Vectra platform and services cover public cloud, SaaS applications, identity systems and network infrastructure – both on-premises and cloud-based. Organizations worldwide rely on the Vectra platform and services for resilience to ransomware, supply chain compromise, identity takeovers, and other cyberattacks impacting their organization.

If you’d like to hear more, contact us and we’ll show you exactly how we do this and what you can do to protect your data. We can also put you in contact with one of our customers to hear directly from them about their experiences with our solution.

Get in touch