Agile Security Program
You use agile for development, why not for building a security program?
Many organizations have challenges building an effective security program. Some are starting from first principles. Others have pockets of excellence, but fail to make consistent traction toward their organizational security goals. There is no blueprint that will work for every organization - it is inherently a dynamic process. There are resource (funding and personnel) and prioritization challenges. There are also rarely plans that clearly indicate not just what needs to be done, but what is not yet planned. This transparency and visibility into the plan is essential toward building a successful program, and is a natural byproduct of running the security program as an Agile project. At Jemurai, we have extensive experience running projects with Agile methods.
How does it work?
As part of this offering, Jemurai will:
- Lead program inception or kickoff activities. At the start of the project, there will be a focus on gathering information, forming a team and defining goals.
- Inject security knowledge into the process for customer consideration. We do both Agile and Security, so this offering is right in our sweet spot.
- Play the role of the Agile project manager. In our Agile style, the project manager is a facilitator more than a decision maker.
- Develop metrics. Both project and security metrics are important for this type of project.
- Guide day to day and week to week tracking against the story board.
- Work to continuously improve team dynamics, execution and results.
Experienced Agile Leadership
The folks at Jemurai have been using Agile development methods for managing engineering projects for almost a decade. The same techniques that help to produce predictable, high quality technical deliverables can be applied to many teams and projects within an organization. See the Jemurai blog series about Agile Security for more information and case studies. The fundamental idea is to make progress highly visible while revisiting direction, priority and goals on an ongoing basis as a part of how the project runs.
Who should be interested?
Organizations wishing to enlist major help in a security program where they will benefit from a metrics based approach and a high level of transparency and visibility.
Organizations that do not have security leadership, but want to pull teams together to improve their security posture.
What does it cost?
Building a security program using agile project management requires extensive ongoing consulting.
Jemurai provides a number of security services, including pure manual security code review, security architecture review, application scanning and testing and can engage with organizations to develop security programs and build security into their SDLC.