Three Characteristics of a Successful Agile Security and Risk Management Implementation

The cost of cybercrime damage is skyrocketing. In fact, Cybersecurity Ventures’ “2017 Cybercrime Report” estimated that the total cost will reach $6 trillion annually by 2021. In addition, Verizon’s “2017 Data Breach Investigations Report” noted that 81 percent of breaches recorded in 2017 exploited weak or stolen credentials, and 14 percent involved privilege misuse.

For these reasons, as organizations embrace cloud, automation and orchestration to support digital transformation, security is coming into sharper focus as a priority during app development. In fact, according to F5 Networks, security services account for four of the top five application services currently deployed.

The question now is, how can we create development platforms capable of addressing more frequent, complex, pervasive, disruptive and potentially disastrous security challenges? More specifically, as regulatory requirements mount and C-level leaders are increasingly held personally liable for data breaches, how can we empower organizations to successfully deploy cutting-edge technologies such as artificial intelligence (AI), quantum computing, the Internet of Things (IoT) and blockchain microsegmentation?

Fight Fire With Fire

Although many organizations are making good progress toward improving their security posture, business leaders need to change their approach and embrace new ways of implementing security natively as increasingly complex threats emerge and multiply in 2018.

This requires security teams to move beyond doing the bare minimum to meet compliance and implement proactive measures to protect enterprise data from today’s sophisticated fraudsters. A Bitglass report revealed that 87 percent of organizations had experienced at least one cyberattack during the previous year, suggesting that manual, compliance-centric approaches to data protection are no longer sufficient to address the latest cybercriminal developments, such as the use of weaponized AI in automated spear phishing attacks.

Large enterprises today already face billions of cyberthreats daily — so how can they possibly prepare for the trillions more that will surely result from the increasing use of cognitive technology in cybercriminal campaigns? Agile security and risk management (ASRM) is the only way to address these emerging challenges and empower business leaders throughout the organization to make better, more informed decisions about cyber risks.

By leveraging the power of AI and quantum computing, organizations can fight fire with fire to thwart even the savviest of threat actors. The ASRM approach enables security leaders to reduce their threat and vulnerability exposure via microsegmentation and minimize the cost of cybercrime damage through preventative measures, advanced assessments and contextualization.

What Is Agile Security and Risk Management?

In general, security management involves identifying the company’s assets and implementing policies to protect them. By extension, Agile security management is a continuous, pervasive and proactive method of protecting assets at a microsegmented level. This process involves all team members during all phases of the development life cycle.

ISO 31000 defines risk management as “the effect of uncertainty on objectives.” Correspondingly, Agile risk management is an approach that continuously identifies, assesses, treats, verifies, reports and monitors vulnerabilities through all stages of the life cycle.

Three Key Principles of ASRM

These definitions may be relatively simple, but transitioning from a traditional risk management approach to an Agile framework requires a substantial transformation and a concerted effort from multiple departments and stakeholders. Security professionals should embrace the following principles of ASRM to successfully implement these strategies throughout the enterprise.

1. ASRM Is Everyone’s Job

Although security and risk experts will remain in high demand for the foreseeable future, ASRM must be continuously taught, practiced and verified by all available corporate resources, including humans and AI-powered computing devices. Companies should provide training, nonretaliatory reporting outlets and comprehensive processes to prepare all resources to deal with the upcoming wave of AI-powered cybercrime.

From full-time corporate executives to contractors, suppliers, partners, customers and computing devices, all resources must be engaged in the proactive protection of corporate assets. The IBM X-Force Command Center is a great way to help your team refine its incident response and cyberdefense skills.

2. Continuous, Iterative and Incremental ASRM Delivery

Most current review practices call for hiring a group of security, risk, compliance, governance, business assurance and legal experts to assess the compliance status of various deployments against common regulations, standards and principles. These reviews often involve a pre-established list of questions that are already widely known among business units, causing auditors to miss crucial security gaps.

Organizations are best served by engaging all their resources to implement security and risk practices throughout the entire life cycle. Just as a builder would wire a house for electricity during the early stages of construction, security and risk activities should be conducted from the initial planning and inception through to decommissioning, end-of-life or destruction.

Organizations should also conduct continuous Agile training to implement security and risk in an iterative and incremental manner. Consistent and pervasive delivery are crucial to the success of the ASRM approach. Tools such as IBM Security AppScan are tailored to assist security teams with ASRM detection, protection and prevention.

3. Top-Down and Bottom-Up ASRM Decision-Making

Hierarchical organizations and societies can grow and maintain order, yet they aren’t able to adapt to today’s decentralized, pervasive and multiplying new world of increasingly destructive cyberattacks — they just aren’t Agile enough.

In fact, for fear of being reprimanded, employees often fail to report potential threats and risks. Companies should develop bug bounty programs to promote and celebrate Agile security and risk discussions. As part of Agile daily stand-ups, security teams should test their code and review their architecture and patching posture in the context of ASRM. By generating continuous feedback regarding all Agile activities, teams can release higher-quality and higher-value features at a faster pace.

The Race Is On to Embrace ASRM Modernization

If you are still unsure about Agile security, consider that it only takes nanoseconds to steal trillions of dollars from an infiltrated environment. How many assets and future gains (e.g., intellectual property) can you afford to lose? How much damage could a professional cybercriminal inflict over the standard cyberbreach remediation period of 18 months?

To embrace better corporate agility, organizations must increase communications, create room for small, rapid failures and empower their people and AI-empowered solutions to render and own ASRM decisions. Until ASRM adoption becomes ubiquitous, enterprises of all sizes will continue to suffer data breaches, experience significant staff turnover and be targeted by corporate investment activists.

As shareholders, investors and employees, we are all entitled to true management transparency, visibility and understanding of corporate security and risk posture. In addition to the summaries that are currently published as part of annual reports for publicly traded companies, shareholders should demand evidence of ASRM modernization. Otherwise, how can they justify investing sweat equity into an organization that can be wiped out overnight like a house of cards?

ASRM requires substantial, strategic transformation. Many large organizations have already completed the first phase of transitioning their development practices from waterfall to Agile. Fully embracing ASRM is the next step along the Agile adoption journey.

Anyck Turgeon

C-BISO / CIO (Sr. Cyber-Engineer)

With more than 25 years of technology innovation and security experience, Anyck Turgeon is a proven executive with...