Agile project management and software development methodologies have been around for some time now. However, they have only gained mainstream use in recent years, in part due to their great effectiveness in keeping pace with the ever-increasing speed of technology development. In the broader context, they also provide a useful toolkit for organizations to remain competitive and sustainable in today’s fast-changing world.
The basics of agile
Let’s take a step back and look at what agile project management is and how information security fits into its concepts.
Different agile concepts and practices have been developed throughout the years. In 2001, the Agile Manifesto was conceived by seventeen people who met and exchanged ideas on common practices that enabled successful software development projects. These authors represented different methodologies, from Extreme Programming, Scrum, Feature-Driven Development, and more. They came up with four key values and twelve principles that were common to the known agile methodologies and allowed for favorable outcomes of IT projects.
One commonly used and successful framework that aligns with the Agile Manifesto is known as Scrum. Initially defined in 1993, Scrum provides a framework for managing project work. The basic premise of Scrum is to break down a project into multiple iterations and shift away from traditional waterfall-type project methodologies in which emphasis is put on processes that don’t work. These include long and elaborate preliminary analysis and fixed product requirements that lead to projects delivering several weeks, months, or even years late.
The key to using Scrum successfully is to assign dedicated people to a project. These people should share common values such as transparency, openness, respect, courage, and adaptability – as well as remain focused on delivery.
An iteration in Scrum is called a Sprint, which is typically a one to four-week period and generally no longer than a month. Work to be performed in a Sprint is planned at the beginning of each Sprint and is then executed and managed on a daily basis in order to deliver an incremental amount of work towards building a product.
After each Sprint, the product is useable and potentially releasable. Although the product might not yet look good – it may still have many missing features and still be full of bugs – it is useable enough that the team is always working with something concrete that can be continuously inspected and reviewed. This is why Scrum is viewed as an empirical approach to project management and software development since it is experience-based and allows a team to work with operational software and facts.
A key role in Scrum is the Product Owner. The Product Owner is the sole person responsible for defining the vision of a product and is the voice of the clients as the end-users or customers of the product. In larger organizations, a Product Owner can be backed by a committee, but the Product Owner is the only person that can define the priority of work to be done in a project.
In Scrum, the Product Owner defines the work to be prioritized in every Sprint and the work that remains to be done in future Sprints. Work to be done is managed in a so-called Product Backlog, an ordered and living list of everything that is known to be needed in the product, including features, functions, requirements, enhancements, and fixes that continue to evolve. This list is continually updated to adapt to changing business needs, including market conditions and the evolution of technology.
So how does security fit into this?
In today’s world, it is pretty much impossible to define a vision of a product that does not include security. The increase in security threats and the monetization of information has demonstrated that practically every system can be hacked. In one example, hackers managed to penetrate a casino’s database using an IoT (Internet of Things)-enabled smart thermostat attached to a fish tank. The case demonstrates how even seemingly mundane connected devices can become points of vulnerability, used to steal sensitive information and plunging organizations into deep water (no pun intended).
A product’s security is certainly crucial to the organization offering the product, from the standpoint of preserving the reputation of the organization as a trusted provider. But, it is also critical from the customer or client perspective since no one wants to use a product in which you cannot trust the security and integrity.
So, a Product Owner is ultimately responsible for identifying and prioritizing security requirements in a product in order to maximize its value. A Product Owner may be advised by an information security analyst, a cybersecurity specialist, a security architect, or any other member of the development team, but the product owner remains responsible for the security of the product. These security requirements, often viewed as non-functional requirements, can take the form of success criteria that are an intrinsic part of the definition of a minimum viable product.
How does agile help security?
On the other hand, agile frameworks can also be of great help to security. In today’s world, ensuring the security of an organization is not a straightforward task. Information that an organization manages is omnipresent in various systems hosted on-premises, offshore, or in the cloud, with an ever-changing technology landscape and threats evolving at a very rapid pace.
Ensuring information security involves far more than simply installing a firewall and antivirus software. It encompasses multiple technologies, administrative procedures, and physical controls that implement varying levels of security, allowing an organization to augment its chances of identifying, protecting, detecting, responding to, and recovering from threats. This is where security standards such as the WLA Security Control Standard and ISO 27001 come into play, providing a comprehensive list of controls and requirements for lottery and sports betting operators as well as their suppliers.
When deploying and updating security products, organizations face the challenges of choosing the right solution and deploying it with the right configurations and supporting processes.
A traditional approach involves identifying the perfect security product through the engagement of a long preliminary analysis in an attempt to evaluate the feasibility of a solution. Instead, one can opt for a more agile approach where different products are rapidly explored and tested in real life, refining solution requirements and operational processes through empirical testing. This way, one can quickly refine a product or simply define the requirements for a future solution that will be acquired.
In general, this agile approach increases the speed at which an organization can attain security control objectives. Furthermore, it’s aligned with the principles of continual evaluation and improvement of an information security management system.
Information security is an integral part of a product’s value, and the responsibility lies with the Product Owner, who holds a critical role in agile frameworks such as Scrum. Agile frameworks can enable information security by accelerating the delivery of security solutions that have demonstrable value. Ultimately, adopting agile practices can accelerate both the delivery of products and their security.
By Anton Stiglic, M.Sc, MBA, Senior Corporate Director of Information Security, Gaming Compliance and IT Governance at Loto-Québec, and Vice Chair of the WLA SRMC Technical Working Group.