Using ‘agile’ for successful technical information security programs

By George Viegas, Information Security and Privacy at Chapman University

The agile process has been around for some time. It is well embedded in software companies and the software development lifecycle, but not so much in IT. Information Security can benefit much from the agile way. Below are four main agile elements that are key to successful and large enterprise-wide deployments. Perhaps the most impactful of all information security projects is the rollout of a security awareness program involving testing and training end-users with phish email. The four agile elements are therefore best illustrated by tying the elements to the specific example of a phishing security awareness program using a third-party technology platform to roll out to an enterprise-wide internal base of around 10000 customers.

Start small and grow big

Rather than go with the big bang of designing a large security campaign to hit the whole company all at once, consider a series of campaigns starting small but growing with time. The advantage of starting small is that it gives the CISO an opportunity to learn and understand the company culture and ability to absorb change. Starting small also provides a good opportunity to work out the technical issues. Start the campaign small with a core team within IT and work out the kinks in the system and culture. My first campaign uncovered technical issues in the email delivery system wherein some users were not getting the email. Had this campaign been sent out to the whole company we would not have been successful at reaching the end users.

The program goals don’t need to be solid up front

For some technical programs, the goals and targets cannot really be defined up front. In fact trying to put together numbers can actually hurt the project. For security awareness programs, the metrics for users who fall for phish email are all over the board. So trying to put together a program goal of a certain target percentage reduction, can be set up for failure. Instead, consider exposing up front the uncertainty in the metrics and be clear that there is no pattern to the existing numbers and hence no clear target goal. For organizations that are fixated on having a number consider explaining that a pattern is expected to emerge and goals could be formalized then. At the very least a high-level goal of reduced numbers of users falling for the Phish could be set.

A steering committee can fast track the program

Very often the security team rolling out a new product impacting the whole company needs a feel for the company culture. How will a new game-changing security product deployment be received? How does the security team want to be viewed when this project hits the road and all the users begin using the product? It is however not easy to figure this out up front.
Putting together a steering committee will provide the Information security team with a fast track way to figure out the most culturally sound way to deploy the new program.

The steering committee is like the product manager on the agile ‘sprint’ team. The right stakeholders know the business and will support the team as they go through the twists and turns of the deployment track. The steering committee is best formed up front but not much after the project initiation.

Listen and Change
The purpose of the iterative process is to listen and change.

Listen to the team, listen to the committee and listen to feedback from the end-users. Feedback from early campaigns indicated that some teams were very antsy about the program and suspicious of what the security team was doing. These team managers were brought into an advisory role to test and try out new phish emails before they were sent out company-wide. The resulting visibility and engagement headed off the issue right up front.

A continuous feedback loop can also provide the team with valuable data that in some cases can help increase the business priority and also information security to push harder for faster and wider adoption.

These above four concepts can be applied to the deployment of any large information security project or program. Information security projects can be deeply intrusive into the company culture. Information security projects such a new web proxy with monitoring rules or introducing new DLP inspection technology can raise significant end-user concerns about their privacy. The iterative agile approach is most effective for these deeply impactful projects. By iteratively building the technical pieces and putting together the people and processes, the larger program will come together successfully.