The traditional concepts of continuous monitoring and continuous audit cover the concerns of security automation decorated with agile terminologies.
Oftentimes people think of implementing tools with Agile brands or getting faster as agile, while others consider it’s about business agility. I do think the original idea of Agile is about how people work together (as a self-organizing and cross-functional team) to cope with changes and to deliver values (iteratively and incrementally).
Before we start our Agile journey, we’d better define our problem statement and define what the values are behind the Agile umbrella.
If I’d like to incorporate agile things, I would prepare or mimic an agile manifesto first. The following is an example of Agile Manifesto for Cybersecurity from my perspective:
– People and culture over processes and tools
– Business value over comprehensive documentation
– Opportunities over Threats
– Proactive prevention over reactive response
How do we deal with the InfoSec governance, risk management, compliance and security operations based on the proposed Agile Manifesto for Cybersecurity? That’s a good question to start with.
Finally, incorporating agile elements into the cybersecurity setting is a great idea! but the idea of agile should be defined or at least clarified before we go.