Building the agile security team

Threats evolve constantly and security teams must evolve with them. Is agile security the answer to being more responsive and keeping the organisation safe?

By John Oates

Tue 6 Jun 2017 @ 18:00

The threat landscape is changing and security teams must change with it. In a panel discussion at InfoSec 2017 this week, an agile security team was defined as one which does not have specific job roles or responsibilities.

Instead, the agile security team is responsive and fluid, reacting to changing demands and feeling empowered to experiment - and on occasion to fail.

The recent WannaCry malware attack was cited as a good scenario where an agile mind-set would thrive. Faced with a new and destructive threat, security teams were forced to react and respond to a rapidly changing environment. No one was able to rely solely on previous experience because it was a genuinely new kind of attack.

But incident response plans and templates and rehearsing scenarios will continue to play a vital role.

Rehearsal not documentation

In a time of continuing skills shortages, the panel discussed what an agile security team is and how it should be recruited, trained and retained.

Vicki Gavin, head of business continuity and information security at The Economist Group, said: “Rehearsal is far more important than documentation. Once it’s documented it’s not even a threat anymore.”

Discussing recruitment, it was agreed there was too much emphasis on qualifications and skills. Panellists said they were prepared to invest in training the right people. While the agile security team needs a foundation of technical knowledge, it needs to be complemented with softer communication skills. And it needs to be dynamic and roll with the punches.

Technologists have a tendency to be process driven and lack agility. But an agile team often wouldn’t be able to fall back on old-school working methods and needs to be ready to ‘embrace chaos’.

Remaining on the subject of recruitment in the IT industry, Gavin said: “We tend to recruit exclusively not inclusively – if they don’t have the long list of qualifications, we ignore them instead of looking at the whole person and giving them a shot. Look at the real skills, which are the priority.”

She added: “Think about what you’re actually trying to hire, thinks four or five skills not 27 – you can’t be an expert in everything.”

The educational value of mistakes

A successful agile team member is more than their CV. Often finding out how they coped with the unexpected or the unplanned in a past role can be illuminating.

One panellist said: “I like to hear about things going wrong and what people do about it again. You get that at interview but not on CV.”

Transparency and communications are essential parts of agile security. Openness could help improve security through the whole organisation.

In security, failure can be costly and hard to accept. Coming up against the unexpected and making mistakes can be an educational process. Security professionals need to be transparent about failure and what can be learned from it.

Embracing transparency can be difficult to do, but it empowers people. Transparency needs to be embedded through organisational culture change.

Organisations need to understand that things will go wrong. Every organisation could be breached. What matters is how teams respond under pressure.

Security teams have to recognise every day is different. Teams become agile through ongoing and open conversations.

Finally, security should touch every part of the organisation. By encouraging the rest of the business to think about security as part of their own roles, they are making the security team stronger.

Another panellist added: “Security is a collective responsibility. We help bring the whole organisation into that community. It’s got to be part of everyone’s job.”