Agile IT Role of the CISO in Combating the Risks
Digital transformation is a prominent pillar plan and has the participation of more than 15 ministries and public bodies and more than 25 economic, business, and social agents. Throughout human history, Technology has mainly been inseparable from progress.
Now that a global pandemic has accelerated the steady march of digitization into an obstacle course, ICT leaders have to make some decisions.
CIOs are currently being pulled in two different directions. First, business-oriented stakeholders cry out for bigger, bolder, and better experiences for customers and employees.
They argue that if the company cannot engage the customer, it will unsubscribe the customer, and if the company cannot empower the employee, the employee will leave. Delivering digital experiences quickly and continuously has spawned the latest buzzword in the tech lexicon: “agility.”
But while everyone on the enterprise side seems obsessed with agility, risk-oriented stakeholders are pulling the CIO in another direction. CISOs are in this category.
They understand the appeal of high-speed delivery but see the business from a different angle. They watch as their fellow technologists embrace the concept of agility as the answer to everyone’s problems.
The technology function can offer more autonomy to both itself and business users, deploying reduced code and other tools to ease the burden on backroom coders and free up more skilled developers to improve more technical aspects of the stack.
Risk Escalation
But while I appreciate the allure of this ” fast, fail fast paradigm, ” the CISO must continue to oppose it operationally. Software development in a “race to the finish” environment can be significant for time-to-market metrics and productivity and can even be critical for smaller businesses. But today’s CISO must judge these practices against recent trends.
The IT environments they protect have undergone dramatic topology changes, and multiple domains now define the corporate network. And endpoints are scattered across controlled facilities, uncontrolled third-party environments, and employee homes. Regarding “Agile IT,” business as usual is, to the CISO mindset, an accident waiting to happen.
Therefore, the chief security officer must structure a message that connects with other stakeholders and makes them think about risk at every step of their delivery cycle.
While CIOs bow to CMOS and boardroom executives, CISOs must be the voice of reason, equally passionate about the risks of “transformation everywhere,” from the help desk to the data center.
The increased appeal of Agile in IT as a means for companies to take their place in economic visions makes the CISO’s task even more difficult. Still, given the recent cyber threats, we should implement agile dogma in IT with due caution.
CISOs should leverage their position as risk managers to point out instances where Agile delivery in TII has led to the abandonment of corporate governance.
They should look for ways to establish a new chain of responsibility for incidents linked to change management, pushing for Agile project leaders to take responsibility for any incidents that occur without security due diligence.
Security as Standard
SecDevOps is an example of an attempt to change these cultures in favor of ones that make security a must, a standard requirement for all projects.
CISOs know enough to make a compelling case that it’s easier, cheaper, and more effective to build security from the start. They need to insist on this and not allow security to be relegated to a Q&A plug-in at the end of the development lifecycle.
To keep their employees and customers safe in the modern threat landscape, businesses and their technology teams must recognize that solid security doesn’t end with mere compliance.
CISOs are in a position to teach it to you. They should advocate for investment in the most effective tools in the industry and, if possible, for the use of independent red teams, that is, “friendly” actors posing as attackers to test cyber defenses.
Tools must be able to monitor environments and flag development and configuration errors. And the company must accept on a cultural level that no digital product or experience is fit for purpose until the CISO approves it.
Today, digital experiences live in multiple environments. Security tools must enable teams to detect threats in hybrid and multi-cloud ecosystems.
They must take into account software vulnerabilities and weaknesses in identity requirements. They must be scalable so that companies can grow their ambitions and offerings without considering the capacity of their security tools.
Slowly But Surely
It’s natural for a line-of-business executive, or even a CIO, to want to implement Agile in IT. In this sense, these stakeholders form the most reactive side of the company. His strategy focuses on the next big release, not the risks behind it.
CISOs are critical in the brazing and negotiating a more measured response to competitive markets and demanding customers. They should remind their colleagues that the costly nature of cyber incidents is what makes headlines in the press.
Agile projects certainly have their place in today’s business. But sustainable success, unlike a series of risky quick wins, requires methodical and determined action.
Many around the CISO may roll their eyes at the suggestion that “slow and steady wins the race,” but if security managers painstakingly lay out the costly alternatives, they can, in time, win hearts and minds.