Agile IT: The role of the CISO in combatting the risks of the ‘move fast, fail fast’ culture

Agile IT: The role of the CISO in combatting the risks of the ‘move fast, fail fast’ culture

Agile IT must be implemented with due caution, says Taj El-khayat, Managing Director – South EMEA at Vectra AI. Here he discusses the role of the CISO when it comes to balancing organisational agility with the need to ensure security is built into any new product/service from the ground up.

GCC governments have staked their futures on technology. Digital Transformation is a prominent pillar of Saudi Arabia’s National Transformation Plan and features heavily in the very long list of economic diversification programmes initiated by the United Arab Emirates’ (UAE) government. Throughout human history, technology has been largely indivisible from progress and now that a global pandemic has accelerated the steady march of digitisation to a teeth-rattling race, IT leaders have some decisions to make.

CIOs are currently being pulled in two different directions. First, business-oriented stakeholders are crying out for bigger, bolder, better experiences for customers and employees. They argue that if the enterprise cannot engage the customer, they will churn; and if the enterprise cannot empower the employee, they will move on. Delivering digital experiences rapidly and continually has given rise to the latest overused buzzword in the technology lexicon: ‘agility’.

But while everybody on the business side appears obsessed with agility, risk-oriented stakeholders are pulling the CIO in another direction. CISOs are in this category. They understand the attraction of high-speed delivery, but they are seeing the business from a different angle. They watch as fellow technologists buy in to the concept of agility as the answer to everyone’s issues. The technology function can deliver more autonomy both to itself and to business users, rolling out low code and other tools to take the burden off backroom coders and free more skilled developers to enhance more technical aspects of the stack.

Risk escalation

But while appreciating the allure of this ‘move fast, fail fast’ paradigm, the CISO must remain operationally opposed. Software development that is performed in a ‘race to the finish’ environment may be great for time-to-market metrics and productivity. It may even be critical for smaller enterprises. But today’s CISO must judge these practices against recent trends. The IT environments they protect have undergone dramatic shifts in topology. Multiple domains now define the corporate network. And endpoints are scattered across controlled premises, uncontrolled third-party environments and employees’ homes. When it comes to agile IT, carrying on as before is, to the CISO’s mindset, an accident waiting to happen.

The security leader must therefore frame a message that connects with other stakeholders and gets them thinking about risk at every step of their delivery cycle. While CIOs relent in the face of determined marketing managers and anxious boardroom executives, CISOs must be the voice of reason — equally passionate about the risks of ‘transformation everywhere’, from the helpdesk to the data centre. Agile IT’s heightened attraction in the Arab Gulf region as a means for companies to take their place in economic visions, make the CISO’s task all the more difficult, but given the UAE’s and Saudi Arabia’s recent battles with threat actors, agile IT must be implemented with due caution.

CISOs should leverage their positions as risk managers to point out any and all instances where the delivery of agile IT has led to the abandonment of corporate governance. They should seek ways of establishing a new chain of responsibility for incidents that is tied to change management, pushing for the leads of agile-driven projects to assume responsibility for any incidents that occur in the absence of security due diligence.

Security as standard

SecDevOps is one example of an attempt to change these cultures in favour of those that establish security as a must-have — a standard requirement for all projects. CISOs know enough to convincingly argue that it is easier, cheaper and more effective to build security in from the ground up. They need to hammer this point home and never allow security to be relegated to a QA-style add-on at the end of the development life cycle.

To keep their employees and customers safe in the modern threat landscape, enterprises and their technology teams must recognise that robust security does not end with mere regulatory compliance. CISOs are in a position to teach them that. They must argue for investment in the industry’s most effective tools and, if possible, the use of independent red teams — ‘friendly’ actors who pose as attackers to test cyber defences. Tools should be capable of monitoring environments and flagging errors in development and configuration. And the business should accept at a cultural level that no product or digital experience is fit for purpose until signed off by the CISO.

Today, digital experiences live in multiple environments. Security tools must allow teams to spot threats across hybrid and multi-cloud ecosystems. They must allow for software vulnerabilities and weaknesses in identity requirements. They must be scalable to allow enterprises to grow their ambitions and their offerings without having to consider the capacity of their security tools.

Slow and steady

It is natural for a line-of-business executive, or even a CIO, to want agile IT. In this respect, such stakeholders form the business’ more reactive side. Their strategy concentrates on the next big delivery rather than the risks behind it. CISOs have a vital role to play in applying the brakes and negotiating a more measured response to competitive markets and demanding customers. They should remind their colleagues that the costly nature of cyber incidents is the stuff of headlines.

Agile projects definitely have their place in today’s enterprise. But sustainable success, as opposed to a series of risky quick wins, requires methodical, purposeful action. Many around the CISO may roll their eyes at the suggestion of ‘slow and steady wins the race’, but if security leaders doggedly lay out the costly alternatives, they may, over time, win hearts and minds.

Click below to share this article

Browse our latest issue

Intelligent CIO Middle East

View Magazine Archive