Some years ago, one of the founding fathers of the Agile Manifesto, Andy Hunt, wrote about how the Agile movement had sort of lost its way. One of the reasons he cited was the proliferation of a disease he called “flaccid agile”.
Flaccid agile is where you cherry-pick some of the principles and practices you like the best—and then fail to even execute those properly.
Now, I know I’ve seen my share of flaccid agile shops in many guises – across a number of functional areas – and I’m sure you have too. Maybe you have pockets of this in your own organization.
But before we go any further, I’d like to get a couple of things on the table:
First, following the “Agile is a mindset” principle, when I’m talking about Agile Security, it’s similar to, but not the same as, the Agile Software Development defined by the Agile Manifesto. So it’s not about implementing the Agile Manifesto word-for-word and principle-per-principle. And it’s not about “doing” DevSecOps which really only addresses one large, but indeed critical, piece of the security puzzle. It’s its own thing.
And the second is to point out the obvious – but often overlooked – fact that you can’t do “agile” anything without a strong set of experienced leaders in the team who are committed to doing better work and who are given the freedom they need to pursue it.
There are several recurring instances of flaccid agile security, but one of the ones I’ve seen firsthand is the “Agile means there’s no process, rules or structure to what we do” disease.
I mean, look, it’s right there in line 1 of the Agile Manifesto:
Individuals and interactions over processes and tools
So, what happens is “free-for-all security”…which kinda resembles a bunch of headless chickens running around…or, maybe it even suspiciously looks like the repetitive and constant fire-fighting shifts many teams are already doing.
“Look, Ma! We got us the Red Team and the Blue Team, and we’re movin’ fast and taking no shit from nobody!”
But it doesn’t quite work out. Things get slower not faster. Quality goes down. Stress goes up. Mistakes get more frequent. Customers get more unhappy. Projects get even later.
“Well, the process makes us slow! We don’t have time to follow the process.”
To which I say, quite frankly: bullshit.
Because the key to the first line of the Agile manifesto that most people don’t really understand is the nature of the individual they’re describing. It’s not an individual that doesn’t follow a process…
…it’s an individual who knows a process “by heart” and so deeply understands it and what it’s supposed to accomplish that they’ve INTERNALIZED the process.
They just don’t have to think about it anymore, and they have enough experience to treat the process as a framework with elements they can pick and choose to apply based on what they see in front of them—because they understand the value that needs to be delivered THIS time…in THIS iteration…for THIS customer.
To them, it’s like the difference between the nervous-as-fuck 16 year old taking their driving test for the first time that might put the car in the wrong gear or stop on the brake too hard and the 40 year old driving the family on vacation, keeping one eye on the road, having a conversation with their partner, disciplining one child, reaching behind the seat to rescue a toy for another and still being able to drink a scalding cup of coffee without spilling a single drop—while doing all this at 80mph on the Interstate and not once – for even a second – putting the family in danger.
But it doesn’t come easy, and it doesn’t start by throwing out all the things you don’t like.
It comes from understanding the security team you need to become, taking an honest look at yourself in the mirror, and making a plan to realize that aspiration.
Then sticking to it—every single day.
You don’t run before you can walk, and you (generally) don’t walk before you crawl—even though one of mine nearly did.
But you also don’t get hobbled with training wheels forever either because you don’t have the confidence or courage to break through to the next level of understanding and face the fear of screwing something up you’re not quite sure you’re ready to do.
And when the fate of the organization as we know it depends on you not screwing up, it can be a hard thing to do.
But you must do it. Because the truth is, the only real cure for flaccid agile security is the knowledge, expertise and experience you build over time.
However, the Viagra pill that can get you in the game before you’re quite there yet is having the right process and framework that starts you going through the motions even before you’re quite sure why.
And that process and framework is what I’m going to talk about in the upcoming August issue of the Security Sanity™ newsletter.
Because you can’t throw away the book until you know it so well you’re confident it’s no longer necessary.
To make sure you get your copy, go to this link, scroll all the way down to the bottom with your credit card in hand, and click the big, yellow Subscribe button.
Because if you wait too long, you’ll miss it. And this one is so important, it’ll never be offered as a back issue even if I do decide to make them available at some point in the future.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
P.S. Here’s something you can do if you liked today’s post: you can sign up for those daily emails that annoying pop-up keeps asking you about. Or, if you want to know more about what you’re going to get if you do and how it works, then just go knock on the front door: https://archistry.com and you’ll get the whole deal.
Or…you can just keep reading the blog, or ignore me and Archistry all together. I’m good either way.
