Agile Cybersecurity


Information Security: You’re Doing It Wrong

Cybersecurity is a constantly changing landscape. Threats change as rapidly as attack surfaces. New tools and technology are extremely accessible - cloud servers running databases that can serve hundreds of thousands of clients (or more) can be set up for a few tens of dollars per month (or less).

Still, the best the United States Government has to offer in terms of cybersecurity guidance is NIST’s Risk Management Framework. Maybe you’ll start at 800-37, which won’t really tell you anything in 101 pages. You could start reading the 1800-series documents, and they might help you with compliance and policy creation if you’re one of the very few people involved in that work, but otherwise, probably not.

The reality is that most cybersecurity vulnerabilities arise from a lack of patching and from deliberate actions taken by users.

Vast sums of money are spent on policy construction and procurement of complicated tools instead of building up from ground zero with strong patching policies (including approaches intended to ensure robust deployment of patches, such as automated testing and configuration management). Plenty of dough is dished out for automated vulnerability scanners, automated intrusion detection systems, and automated everything - except for automated patching and application-focused automated testing.

Imagine if your physical security specialist installed a six-figure infrared imagery system with recording and off-site backups, but neglected to install six-dollar security hinges for the exterior doors in your facility.

We have to fight infatuation, whether that’s infatuation with toys or policy, and make sure money is being spent in the most cost-effective ways. That starts with simplifying and even automating the low-level, high-frequency, high-value tasks. 1

In agile software engineering, we talk about minimum viable products, continuous integration, and continuous delivery. Massive enterprises are pretty successful at this.

In cybersecurity, we should be talking about minimal-impact mitigation, automated testing on production software, and automated deployment of hardened applications and infrastructure once those tests have been passed. And we can do this without three hundred pages of “risk management” - no one reads it all, anyways2.


  1. Yes, I’m implying that a root cause is that we’ve got a community of geeks more interested in shiny objects than in the boring day-to-day of practical individual contributions to organization security. There, I said it.

  2. Seriously, prove me wrong.