An Agile Security Program? I Don’t Think So.

In my vast experience of the Agile Methodology (just over a month now), I have managed to go from a proponent (as in Running PCI as an Agile Project?) to someone who is rather more circumspect when the objective in question falls outside the realm of a short-term project. An easily defined short-term project at that.

In other words, NOT a soup-to-nuts security program.

The overused adage; “If all you have is a hammer, everything looks like a nail.” is particularly relevant here, as Agile proponents have actually gone looking for nails to the point where some security ‘professionals’ are designing their entire program around this single tool! Being generous, this shows a spectacular naiveté,  at worst, it shows a complete ignorance of what constitutes a sustainable and effective security program.

And to be clear; Agile is a tool, nothing more. It is not a philosophy, it’s not even a framework, it is used for very specific requirements at very specific times for an easily quantifiable result; like a new user interface, a segmentation project, or even the installation of a centralised logging technology. Where it make absolutely NO sense is the exact place a good security program starts; with the culture.

The implementation of a good security program has always been, and will always be, more art than science, and completely dependent on the prevailing culture, a culture defined by the CEO’s attitude towards it. In other words, trying to implement a security program AND instill a culture at the same time with nothing more than a single tool, is no different from trying to build an entire house with just a hammer. It simply does not work that way.

Also, those focusing on Agile tend to come from a highly technical background and therefore focus on technology over process, which just compounds the problem to the point where any short-term gains will be built on nothing but air (like my sandcastle ‘metaphor’). Technology is critical for the automation of KNOWN-good processes, it can never be the solution in and of itself.

In one of my first blogs I posited that there are only Four Foundation of Security:

  1. Management Buy-In / Culture
  2. Policies & Procedures
  3. Governance
  4. Education & Training

…I would now actually add a fifth; Vision (or perhaps just include it in the first one), as it’s the CEO’s vision for the organisation that will drive the development of an appropriate security program.

Assuming you agree with the Foundations, perhaps you can now see how using Agile for any one of them is utterly meaningless. Implementing two week sprints and daily stand-ups to ask whether or not the CEO has signed-off on the security policy framework, or if all relevant staff have taken their annual awareness training, makes no sense whatsoever.

In the development of a security program, a competent security practitioner at the CSO / CISO level would usually follow these steps (gross oversimplification):

  1. Get the CEO to agree to take an active role in the program’s implementation / socialisation. Get this in writing.
  2. Define the governance framework to get all relevant senior stakeholders to the table. Have the CEO ratify it.
  3. Draft Information Security Policy Framework for the policy committee’s review and approval. Have the CEO sign it.
  4. Distribute the relevant policies to the right people as part of the socialisation and initial training exercise. Have the CEO visibly endorse it.
  5. Implement an ongoing awareness program to solidify the culture changes. Have the CEO evangelise it.

If you can’t even get the first step in place, you needn’t bother with the rest, as no matter what you do your security program will collapse under the weight of indifference.

No tool is going to fix this, certainly not Agile.

Running PCI as an Agile Project?

First, I have only been ‘doing’ Agile stuff for a little over 2 weeks, so this will be less about project management and more about how achieving PCI compliance should be done. Or or this case, could be done …potentially …unless I’m completely off the mark.

Like any project, PCI is just a whole bunch of action items, assigned to an individual, with a due date. That’s it. Unlike frameworks such as ISO 27001, PCI is written down for you, so it makes sense that a methodology like Agile would be well suited to keep a PCI project moving.

The reason that PCI compliance is so difficult for a lot of organisations, is that regardless of the seeming simplicity, determining what those actions ARE, or which to start first, or even knowing when to stop, can be more of an art form that a science. This is why there are so few good QSAs, as they are the ones who are supposed to be providing the guidance on every question you may have, even before you know enough to ask them.

We’ll leave, budget, resources, and having having management who give a crap aside.

So, if you agree that because the DSS is written down for you that you can determine the list of action items required to validate compliance WELL before you begin, then my theory makes a little more sense.

For example; for every operating system you have, the DSS requirements and the actions items are very clear:

  1. Requirement 2: Have a configuration standard, show evidence that your systems follow it
  2. Requirement 5: Have AV, show evidence that it’s running, or have a compensating control
  3. Requirement 6: Document your vulnerability management process, show evidence that your servers are patched accordingly
  4. Requirement 7: Have some form of LDAP, show evidence that access control lists are enforced accordingly
  5. Requirement 8: Extension of Req 7., show authentication and ID management are enforced
  6. Requirement 10: Turn logging on, demonstrate that your SIEM is reacting accordingly, and that all times are synched
  7. Requirement 11: Have FIM, show that’s running

So for an Agile project, you just create a series of issues in the backlog that correspond to the above, and duplicate EVERY issue for all subsequent operating systems in your environment. Simple huh?

And you don’t need a dedicated project manager, just a scrum master who can run all of the daily stand-ups and bi-weekly / monthly sprints. Of course, getting all of the action items right will take a significant PCI expertise, but once this is done for your environment, there’s really no excuse for a stalled project.

The benefits seem to be;

  1. The level of effort required to achieve compliance is obvious very quickly, so resources can be applied in the most efficient manner
  2. Those not pulling their weight become obvious to everyone from the very first sprint, and a determination of anything from individual employee overload to utter incompetence can be determined
  3. You have to think about PCI in the only way that makes sense, and keeps things moving forward; bite-sized chunks of action items
  4. Workloads can be spread around, with current print tasks reassigned to those with more available time
  5. The process becomes repeatable when every action is recorded during the project’s lifecycle.

Anyone who’s ever seen a PCI project drag on for years, or had people on whom you were dependant make excuse after excuse for months on end, something like Agile could be the edge you’re looking for.

Unless I’ve completely missed the point.