Lean Security Crash Course on November 28th
Just like an organization’s ability to innovate, it’s cyber security hinges on courageous decision making: daring to experiment, and also to speak up when something does not seem right. In agile organizations, great decisions need to happen throughout the organization. No one can really afford to let scarce security experts become bottlenecks, or to let risk decisions be made in silos with data flowing into isolated systems.
When developing business solutions or applications, there’s an inevitable trade-off between speedy execution and taking into account all security considerations. This is why many agile teams rely more on security testing of launches, and fixing vulnerabilities post mortem. Most tools for assessing risks and needed security measures just end up being one-offs at the kick-off, too heavy to be run throughout the project. Or (in larger organizations) the risk assessment tools are just used by the organization’s security experts, not even intended to fit into the daily routines of project teams. And sadly, more often than not, security decision data never meets other risk data and little to no feedback loops exist for learning to make better decisions.
Cult and Fingertip piloted an analog/digital hybrid solution for making security decisions a daily routine with a small group of curious business leaders. We simulated both threat modeling in an application project (we played a food delivery app company!), as well as how to handle a security incident in an organization. We tested how Fingertip could enable us to involve multiple people quickly into the process of decision making and sharing of ideas and opinions, while organically accumulating critical data about security risk decisions. Especially when things go wrong and there’s an incident, an organization can learn a lot from such digital logs on decision making. Fingertip also embeds action plan workflows, enabling anyone in the organization in a crisis situation, such as a security incident, to start the process and act with resolve. Being able to systematically follow a workflow like that can really bring down the heat in an otherwise debilitatingly chaotic situation.
Eager to learn about how to integrate security into agile organizations? Fingertip and Cult Security are organizing another breakfast workshop on business threat modeling on the 28th of November: