How do you know you’re “agile”?
Well, step 1 is that you have to figure out why you want to be “agile” in the first place. And “because it’s kool, man!” or “because everyone’s doin’ it, dude!” aren’t acceptable answers.
Now, if you’re one of the original 17 authors of the Agile Manifesto, you were just looking for a better way of delivering quality software that people wanted. Andy Hunt (one of the 17) describes it this way:
“I think it provided a jolt of energy, hope of a better way of doing things, of creating software and making the world work better.”
And if you go back to the HBR article I mentioned earlier, the origins of Scrum were forged in the heat of trying to deliver consumer products quickly and flexibly in a business environment undergoing a step-change of:
- Intensified competition
- A splintered mass market
- Shortened product lifecycles
- Advances in technology and automation
Meaning, that if the expected lifetime of a $70M consumer product is 18 months, and it’s 3 months late being delivered because of poor planning, then you need to generate a million more in revenue per month than you’d originally planned—and that’s just to break even!
I bet that wasn’t part of your marketing plan, now was it?
So if you’re a security leader, you’re also faced with a dizzying array of changes to your world every day:
- More sophisticated (and freely-available) attacks
- More complexity in your technology environments
- More vulnerabilities due to more products due to the above complexity
- More integration between “internal” business information and systems and the “external” systems that interact with the Internet
- Less control over your environments thanks to cloud
And those changes are driving you to find better solutions. But innovating the way you work is hard. It requires smart people…and it requires giving them time to think about big problems.
But you don’t have time. You’ve got the Great Horde of APTs pounding on your doors and probably already inside your “walls”.
And we get so caught up in the practices and tactics of “best practices” so that we can show we’re doing things “by the book”, we don’t have time to tackle the hard stuff of real change.
Identify a problem. Make a decision. Implement the decision. See what happens. Identify where it didn’t quite work out. Make another decision.
It’s easy to read, but hard to do. It requires you to think. To deal with uncertainty and probably get it wrong.
And that “Identify where it didn’t quite work out” part is what often gets the short straw. Unfortunately…that’s where the magic is of the whole thing.
But if we want security to “work better” in Andy’s words, we need to really spend time to figure out what’s not working and be prepared to make some changes. And those changes probably aren’t going to be popular, and they are going to be criticized and ridiculed by “the experts” because, well…
“You’re doing it wrong. Don’t you know ‘Agile’ is doing A, B and C?”
But it isn’t. Those are just tactics.
And far, far, FAR too often, we take the tactics as gospel and miss the point.
Agile is a mindset, and it’s a way of operating so you can respond to change and you can deal with uncertainty.
And, to me, that’s what “security” is supposed to do, right?
Isn’t our job to be able to be resilient and responsive to changes in the environment…to deal with the uncertainty of “what might happen next”…
…so we can give confidence to those we support that, “Hey, things are gonna be OK.”
And mean it—because we believe it ourselves.
It’s easy to confuse tactics with a philosophy, because they’re tangible, and we can see them.
But the tactics will – and should – come and go as the world they’re designed to address changes.
You can teach a chimpanzee…or a dog…or even a cat tactics and techniques. But you can’t teach them a philosophy or a mindset…a way of thinking and being.
Agile is what you are. It’s not what you do.
And what you are is about the value you create.
So if you want to truly create a sense of security and confidence in your organization,
…you’ll want to make sure you don’t miss the August issue of the Security Sanity™ newsletter where I talk about a way to do exactly that.
It’s only on sale for the next 3 weeks or so, and after that, it probably won’t be available again—even if I do decide to someday offer back issues.
This is pretty fundamental stuff, and you can make sure you get your copy here:
But on the 31st at 11:59pm US/Eastern, it’ll be too late.
Andrew S. Townley
Archistry Chief Executive
P.S. Here’s something you can do if you liked today’s post: you can sign up for those daily emails that annoying pop-up keeps asking you about. Or, if you want to know more about what you’re going to get if you do and how it works, then just go knock on the front door: https://archistry.com and you’ll get the whole deal.
Or…you can just keep reading the blog, or ignore me and Archistry all together. I’m good either way.