Agile security at scale

Scaled Agile Framework (SAFe) provides a way for the entire organisation to work in an agile way, not only software engineers. Security professionals, lawyers, compliance specialists and procurement teams are encouraged to engage in sprints (or ‘iterations’) too. You don’t have to write code to participate in a retrospective.

I recently had an opportunity to apply some of the Agile practices in my latest cyber security projects while going through formal Leading SAFe training at work.

Many ideas are not new, especially if you worked with Scrum previously, but they don’t have to be in order to be effective. The framework serves more as a collection of principles and a menu of techniques that can be used to transform large organisations that have ‘always done things that way’.

I particularly like the focus on customer centricity and inclusion of some my favourite tools like personas, empathy mapping and user journeys in the latest release.

Scalability is where the framework shines – it was developed with large organisations rather than tiny startups in mind. The concepts of Architectural Runways and Enablers also make it more enterprise friendly – not everyone wants to move fast and break things to achieve business agility. 

It’s all about putting theory into practice though. Pick something from the toolbox and try it out for yourself. One potential idea is to increase transparency by moving to a simplified shared kanban board so you can collaboratively prioritise items in the backlog, increase visibility of ‘in-flight’ WIP activities and improve flow.  See what you can learn from this and improve continuously.

To doDoingDone
Feature 4Feature 3Feature 1
Feature 5Feature 2
Feature 6

Speaking of prioritisation, how do you decide what task to select next? Weighted Shortest Job First (WSJF) is the way to go.

WSJF = (User business value + Time criticality + Risk reduction and opportunity enablement) / Job size

Agile teams are likely already used to estimating feature sizes during sprint planning (e.g. by playing Scrum poker). Now work with the your stakeholders to estimate user business value, time criticality, risk reduction and opportunity enablement to see the full picture.

FeatureUser business valueTime criticalityRisk reduction / opportunity enablement valueCost of DelayJob sizeWSJF
Feature 15 +5 +8 = 18 /5 =3.6
Feature 28 +3 +2 = 13. /8 =1.6

Use the Fibonacci sequence for your estimates, focus on one column at a time and then simply pick the activity with the top score, the one with higher cost of delay and shorter duration.

Working in an agile way helps align your security teams around value, stay focused on the customer needs and collaborate effectively with other cross-functional teams.


Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s