Why CISOs don’t trust Agile culture

The Agile culture has been spreading like a mantra in practically all companies. In this regard, CIOs are currently being pulled in two different directions. First, business-oriented stakeholders are crying out for bigger, bolder, and better experiences for customers and employees. They argue that if the company cannot engage the customer, the customer will be unsubscribed; and if the company cannot empower the employee, the employee will leave. Delivering digital experiences quickly and continuously has spawned the latest buzzword in the tech lexicon: “agility.”

But while everyone on the enterprise side seems obsessed with agility, risk-oriented stakeholders are pulling the CIO in another direction. CISOs are in this category. They understand the appeal of high-speed delivery, but they see the business from a different angle. They watch how their fellow technologists embrace Agile culture as the answer to everyone’s problems. The technology function can offer more autonomy to both itself and business users, deploying reduced code and other tools to ease the burden on backroom coders and free up more skilled developers to improve more technical aspects of the stack. .

Risk escalation

But while appreciating the allure of this “move fast, fail fast” paradigm, the CISO must continue to oppose it operationally. Software development that takes place in a “race to the finish” environment can be great for productivity and time-to-market metrics. It can even be critical for smaller businesses. But today’s CISO must judge these practices against recent trends. The IT environments they protect have undergone dramatic topology changes. The corporate network is now defined by multiple domains. And endpoints are scattered across controlled facilities, uncontrolled third-party environments, and employee homes. When it comes to Agile IT, business as usual is, to the CISO mindset, an accident waiting to happen.

CISOs see how their fellow technologists accept Agile culture as the answer to all problems

Therefore, the chief security officer must structure a message that connects with other stakeholders and makes them think about risk at every step of their delivery cycle. While CIOs bow to CMOs and boardroom executives, CISOs must be the voice of reason, equally passionate about the risks of “transformation everywhere,” from the help desk to the center. of data. The increased appeal of Agile in IT, as a means for companies to take their place in economic visions, makes the task of the CISO even more difficult, but given the recent cyberthreats, the Agile dogma in the field of IT should be implemented with due caution.

CISOs should leverage their position as risk managers to point out any and all instances where the delivery of Agileen TII has led to corporate governance abandonment. They should look for ways to establish a new chain of responsibility for incidents that is linked to change management, pushing for Agile project leaders to take responsibility for any incidents that occur in the absence of security due diligence.

Security as standard

SecDevOps is an example of an attempt to change these cultures in favor of ones that make security a must, a standard requirement for all projects. CISOs know enough to make a compelling case that it’s easier, cheaper, and more effective to build in security from the start. They need to insist on this point and not allow security to be relegated to a Q&A plug-in at the end of the development life cycle.

To keep their employees and customers safe in the modern threat landscape, businesses and their technology teams must recognize that strong security doesn’t end with mere compliance. CISOs are in a position to teach it to you. They should advocate for investment in the most effective tools in the industry and, if possible, for the use of independent red teams, that is, “friendly” actors posing as attackers to test cyber defenses. Tools must be able to monitor environments and flag development and configuration errors. And the company must accept on a cultural level that no digital product or experience is fit for purpose until the CISO approves it.

Today, digital experiences live in multiple environments. Security tools must enable teams to detect threats in hybrid and multicloud ecosystems. They must take into account software vulnerabilities and weaknesses in identity requirements. They must be scalable, so that companies can grow their ambitions and their offerings without having to consider the capacity of their security tools.

slowly but surely

It’s natural for a line-of-business executive, or even a CIO, to want to implement Agile in IT. In this sense, these stakeholders form the most reactive side of the company. His strategy focuses on the next big release and not on the risks behind it. CISOs have a critical role in putting on the brakes and negotiating a more measured response to competitive markets and demanding customers. They should remind their colleagues that the costly nature of cyber incidents is what makes headlines in the press.

Agile projects certainly have their place in today’s business. But sustainable success, unlike a series of risky quick wins, requires methodical and determined action. Many around the CISO may roll their eyes at the suggestion that “slow and steady wins the race,” but if chief security officers tenaciously lay out the costly alternatives, they may, in time, win hearts. and minds.

By Ricardo Hernández, Country Manager for Spain and Portugal of Vectra AI