Agility & Compliance & Security: A perfect match, but the domains need to be aligned correctly.
It took a while. But we are at the frontier where agility, compliance, and information security start coming together. Pressure from regulators, from a business perspective and from threat actors are making it happen.
In this article, we are going to look at the following topics:
Breaking things - The case for compliance and security, especially for those who say it is "too expensive".
Moving fast - The case for agility, especially for those who think less frequently about business cases.
Slightly complex - The compliance and information security rift, especially for those with difficulties differentiating between the two domains.
Slightly complicated - how agility integrates with compliance and security, especially for those who think it is impossible.
Keeping accountable - Project management is risk management, especially for those needing to appreciate risk management more.
Continuously trained - Promote mutual understanding, especially for those in charge of ensuring the venture succeeds.
Business perspective - Finding the sweet spot - especially for those who like to think further about the topic.
Breaking things - Making a case for compliance and security.
It is too expensive. It is not fun. I often hear statements like these. They are wrong. I still remember when a listed company's corporate website needed one simple penetration testing session (security policy) or when we submitted our tax filings on paper (sensitive data). Things have changed.
Under the hood, use cases have become more complex, and the cycles have shortened. Some say compliance and information security are slowing things down and complicating things, but a substantial risk is associated with neglecting them. Indeed, fine-tuning is needed, but ignoring compliance and security in a connected world is the wrong approach.
Breaking things and not being compliant with regulations can lead to hefty fines. And not considering security aspects may lead to an interruption of your core business - with severe implications.
So compliance and security considerations shouldn't dominate every business decision but need appropriate care. Agile methodologies help you to do so.
Moving fast - The case for agility - especially for those who think less frequently about business cases.
Nowadays, things change quickly. There are clear signs of openness to frequent change on the information security front. But compliance is still moving a bit slower. True, regulatory processes need more time - which is also welcome to a certain level - but on the other hand, compliance/regulation may also become too strict and stifle change, thereby breaking business cases.
So, validating business cases against compliance and security requirements is essential. Especially in a SaaS context, there are many potentially lucrative business cases. But these business cases also need to be supported by solid business processes. And these business processes cost money. And so do the talented people taking over compliance and security roles. As a result, the business case needs to be strong enough to support paying their salaries.
At this point, agile methodologies can facilitate. For example, agility avoids too much specification in advance, which is expensive and might need rework when you finally get around to building the features.
And agile methodologies also provide methods to prototype solutions and pivot if the need arises - e.g., a competitor is adapting its offering or when entering new markets.
But then, why isn't the adaptation level already much higher?
Slightly complex - The compliance and information security rift.
Heterogenous teams usually win the day. But working in a heterogenous group can be challenging - we typically like to surround ourselves with people who think alike.
Compliance, product development and security are different domains. Compliance profiles usually have a business/legal background and are part of a "shared-services organisation" (CFO/CRO). Information security profiles typically have a technical background and are part of the product/technical organisation (CTO/COO). It goes even further - the software developer profile primarily wants to build a working solution - not necessarily a compliant or secure one.
These are all cliches and a very simplified view. But in a nutshell, diverse objectives, domain language and different mindsets need to be aligned.
Human complexity increases, and agile methodologies are the perfect catalyst to mitigate these challenges. And if you don't invest, you end up with ineffective silos. Therefore, it is advisable to improve your processes and practices.
Slightly complicated - how agility integrates with compliance and security.
You need three things to link an agile organisation, compliance and security. In the following order of importance - from macro to micro:
Transparency, aka a culture where you can discuss risks. Transparency shouldn't be an issue if it is a "functional" agile organisation. Nevertheless, I am mentioning it here again. Why? Because it is so essential. In a nutshell, if there is insufficient transparency, the subject matter experts will need to hedge. Because they can't openly assess the situation and discuss the resulting risks and mitigations.
Clear rules of the game, aka backing from a methodology perspective. Compliance and security used to work differently. So first, the domain experts usually need to become more familiar with agile methods. And every change is hard. Therefore, teams need strong leads from a methodology perspective. Yes, an actual Scrum Master and not a coaching role.
A facilitator, a translator between compliance, product development and security language. You might have generalists who can oscillate between the domains in smaller settings. In larger settings, highly specialised people will need support to build a shared domain language.
Why is it so important to discuss risks?
Keeping accountable - project management is risk management.
Nowadays, one must read far too frequently about a new data extraction or ransomware attack. And this is only the tip of the iceberg. Because if organisations can, there is a chance that they will try to keep the incident under the lid.
Compliance and security domains need to know what is happening "in the system" to do their job. Potential risks have to be visible, and assessing the risks needs to be possible.
For project management to succeed in the long run, transparency needs to be a given - e.g., understanding how much a shortcut will "cost"; the associated risks must be raised and managed.
Many organisations don't do proper risk management because it is hard to assign a direct "business value", or they see it as a "constraint".
In a way, this is true, but project management is risk management.
You should invest resources continuously - best by baking in some basic risk management in your processes.
If you don't, risks will materialise earlier or later. Usually, it is much more expensive to mitigate a risk that already has materialised than to reduce the impact well ahead by performing diligent cross-functional risk management.
Compliance and security need working risk management. And a truly agile organisation embraces risk management.
Continuously trained - promote mutual understanding.
Without a doubt, the three domains already have substantial touchpoints. But still, the convergence accelerates further.
The domains evolve. From a technical/infosec perspective, there is an ongoing shift from on-premise to the cloud. The migration is happening because there are fewer use cases where it makes sense to host on-premise. With (a proper) transition from on-premise to the cloud, the complete architecture changes — suddenly, you need to consider aspects like outsourcing data to your cloud provider and identities vs perimeters.
Technological advancements like the shift from on-premise to the cloud have also changed things on the compliance side. From a regulatory perspective, "the shields have been raised" due to generally more extensive user data collection and processing.
Infosec must understand the "why" behind new regulatory efforts. And compliance must understand the risks which are associated with cloud-native architectures. So the two domains must understand each other's challenges and use the knowledge to enable the business stakeholders.
This complex relationship is where agility can be a significant enabler. Agility can support involving all stakeholders and enable the domains to collaborate effectively.
However, this only works if the business sponsors also understand the challenges and embrace concepts like a learning organisation, which are vital to evolve towards more agility.
Business perspective - Finding the sweet spot.
These are challenging times - for all types of businesses. However, modern and "self-aware" organisations can better cope with the emerging challenges in a VUCA world.
One action item is to invest in all organisational domains to become more adaptable and resilient.
So the leadership team must also develop "shared services" like compliance, infosec and risk management.
While doing so, every organisation has to find its sweet spot.
Before making decisions, the organisation should clearly understand its risk appetite and consider the impact in case of a severe incident.
Then, based on these considerations and the organisation's size, a pragmatic way forward should include built-in touchpoints with the compliance and security domains early (and often) in the organisational value streams.
Agility helps to increase the modernity and self-awareness of the organisation.
If the compliance and security domains are enabled by agility, the organisation can take a critical step on the journey to solve potential weak points before they become impediments.
