…or at least that’s how it feels

As a security practitioner its easy to dismiss agile practices – the ‘just enough’ architecture, short term if any planning and reliance on vanilla solutions as good enough are an anathema to anyone who has been around security for a while – particularly if you are a security architect.

But wait! If you arrive at those issues with a positive mindset, surely they can be overcome? Because with agile, they are points that need to get placed on a backlog, the priority agreed and then worked off. This is the idea of the pivot; we need to go in a different direction to the one we’ve been travelling and the faster we change course – the sooner we are moving in the right direction.

That’s a nice thought, but it misses the idea of corporate culture, human nature and most of all the one thing that most technology practitioners and their leaders misunderstand about security and security practitioners……that security is an emergent property of a system….and that as a security person, often (but not always) I need other people to do things that make their life hard for me (and all of us) to be successful.

That would often mean admitting things aren’t done right, or that someone was ignored, or more my particular bête noire – the fait accompli, “well we’ve done it now – so we wont be revisiting”.

What this all adds up to is a broken culture, particularly one where toxic positivity means no one can ever be wrong or that mistakes cannot be admitted to. It doesn’t feel like the agile principles are being upheld.