Security and Compliance in Agile
It's been awhile since I last posted anything but that's because I've been knee-deep in helping a Security and Compliance team move from a traditional waterfall approach to an Agile approach to developing and managing their work. Talk to any development group in a large organization, especially one that is Agile, and say the words Governance or Compliance (or worse Audit) and you will get a collective shudder and the sound of everyone running for the door.
The truth is this: Every organization has to protect their customers and their brand. We do this in many different ways, but one thing that we don't do well typically is ensuring that our Product Development teams actually know what these groups do and the value that they can bring in knowledge to developers. We often view developers as people who know everything, hell they can code to make features come to life so they must also know about secure coding practices and the like (guess what, they don't)
Security Governance and Compliance shouldn't be considered necessary evils, rather they should be considered insurance policies that we take out every time we push code to production. You wouldn't think about driving a car without insurance because if you do hit someone and injure them, it will cost you a boat load of money. Yes the odds may be small but taking that risk is one that most people won't take. We should look at our Security and Governance in the same light, in fact an even brighter light because very few drivers are out there actually trying to hit you to hurt you, whereas hackers are doing just that to your site day in and day out.
With the speed at which hackers and attackers are figuring out new ways to breach our security protocols Security and Compliance teams need to work in a much faster pace. Think incremental improvements over gold plating a solution.
In Agile teams are focused on delivering value to the business every two weeks and as they go through their process of iterative design and development we also focus on technical excellence. Product Development teams need to be able to get fast feedback on security questions so that they can incorporate Security changes before development begins. As a Product Owner you have to understand that the velocity of your team to deliver value MUST include time for them to refactor code and implement ever better secure code, it's simply not up for negotiation if you want a high quality secure product that your customers engage in.
The teams that I'm working with have been willing to engage and somewhat leery in moving to Agile and we are tackling how to handle a team that doesn't deliver code and whose work doesn't necessarily fit into a strict 2 week timeframe. Additionally these teams aren't used to thinking in short increments so breaking down their work doesn't come naturally, but they are finding ways to do it and they seem to like the visibility and transparency Agile provides.
For Story estimation I developed a quick and easy way for them to estimate their work, taking into account that we don't have true Scrum teams but loosely aligned people working on distinctly disparate tracks of work, it looks like this:
- 13 points - One person working one Story for the entire sprint. This would typically fall into the same category as a Research spike.
- 8 points - One person working one story for half of the sprint
- 1-5 points - One person working one story for 1, 2, 3 or 4 days.
Some of the team has started to use this and we are starting to see what our potential team velocity might be. This will help us next year when we do our Roadmap planning.
Additionally since we are using Rally, I've created six-week release windows that teams can align their work to and then assign the iteration that they will complete the work. With both the Release and Iteration views I can see what the team is planning and what they are executing.
Perhaps the biggest challenge that we need to address next is how do we build a plan for work that may span 1-3 years in duration. The team has commented several times that moving to Agile is hard since they are used to doing everything in a Waterfall method yet the reality is that whether we are doing Agile or Waterfall as a Program Manager I would expect them to identify high level milestones, understand and describe how the project will unfold. None of this can't be done in Agile.
The notion that Agile isn't about planning has always amused me since I know that in Agile if you are doing it right it is all about PLANNING. One thing that differentiates Agile from Waterfall from a Project Management perspective is that we don't have a change management process. I think we have believed that laying out a project in a Gantt chart with tons of up front planning that really results in Change Requests was effective. Instead identify the key milestones that make up the project, commit to those and then understand that we'll change along the way but the key business value that we are delivering shouldn't. If it does then you aren't working on the right stuff.
To those Information Security Management groups who think that they can't be 'Agile', think again.