Agile Security Manifesto #12 - Security Must Be An Enabler

Why is it that security in an organization is so often viewed as a “roadblock” or hassle standing in the way of business? Security professionals ask this question all the time. We complain that we are always the last one to the table when planning new projects and often find ourselves fighting for some unattainable balance between operational functionality and security concerns.

I hear people talk about the importance of training “the business” on the importance of security, and I certainly can’t disagree with that, but I maintain that as security professionals we must also work to understand the business needs of the organization and help enable their success. That brings us to the 12th and final principle of our Agile Security Manifesto:

Security must be an enabler. Organizational agility must be met with security agility to maximize data integrity, asset security, and a pristine reputation.


Over the previous 11 installments of the Agile Security Manifesto, we have talked in depth about our definition of Agile Security, but as security professionals how often do we examine what it means to have an agile business organization? More importantly how can we work to enable the agility of our business organization while continuing to ensure its security posture?

Paul T. Kidd defines an agile enterprise as “one that is not easily damaged and broken by unexpected and unpredictable changes and events." He goes on to say, “Agility is not just about speed of response - it is about rapid adaptation.”

These definitions sound a little scary. How can we build security practices around business practices that can and will change, over and over? Clearly, we will need to come to some sort of compromise, some bit of restriction on what can change and how dramatically. Throw up the roadblock! Sadly, this is the typical approach.

Very few companies or organizations sell security. The focus of these organizations is on their core offering, whether that is services, information, or the world's best mousetraps. To remain relevant, they must remain agile. As security professionals we must learn our respective business process, and look at the way that our security processes can enable a company's success while still protecting its data, assets and image.

Security shouldn't be a roadblock.

Not too awfully long ago, it was generally accepted that to have a secure system one would need to disconnect it from any type of network. Clearly that’s not a practical approach, and as the business world became more and more dependant on network based services, the security community had to adapt. Another example is remote access. Early on, remote access was typically restricted to IT folks, giving them the ability to “dial in” and take care of any issue that may arise. However, the business side saw an opportunity to get more productivity, and the corporate VPN was opened to the rest of the organization.


Let’s face it, security is seen by the business as a cost center. In an effort to combat that we often hear the stories of gloom and doom from our security vendor brethren, you know the ones... “It may seem like a lot now, but consider what it will cost when XYZ happens.”

This just continues to add to animosity and disconnect between business and security. Imagine instead, taking the time to understand the business drivers of the company and mapping value provided by good security, not just delivering the “cost” of undertaking those initiatives securely.

We need to avoid the boogie man scenarios, and focus on how agile security and can help enable agile business.