With cyber threats on the rise, it’s critical to take a proactive approach to embedding security measures when transforming to frameworks like Scaled Agile (SAFe^®). Here, PM-Partners Agility Practice Lead and Agile Principal Consultant Matt Sharpe shares his strategies for creating a secure and resilient agile environment in your organisation.

Cyber security is a hot topic right now, with major cyber incidents increasing in frequency, sophistication, and severity, impacting organisations both large and small. These impacts can range from inconvenient downtimes through to the loss of critical services and data leaks, often leading to major public relations disasters, financial loss and in some cases legal proceedings, which can involve board-level criminal culpability.  

As organisations embrace new ways of working, including the implementation of agile frameworks such as the Scaled Agile Framework (SAFe^®) to improve efficiency and adaptability, it’s crucial to plan for and integrate robust cyber security measures into this transition. Cyber threats are evolving, and an agile environment presents unique challenges that need proactive strategies.  

Here are some key considerations to help your organisation ensure that cyber security is a priority during your Scaled Agile transformation.

10 tips for integrating cyber security in SAFe^®

1. Include security as a key component 

Integrate security from the outset of your SAFe implementation. Security should not be an afterthought but a core aspect of your organisational culture. By embedding security into the agile framework, you create a foundation where every team member is aware of and responsible for maintaining cyber security standards. 

2. Establish security champions 

Appoint security champions within each Agile Release Train (ART) or team. These individuals are tasked with promoting security practices, providing guidance, and raising awareness about potential risks. Security champions serve as the bridge between security experts (who are often separate from the ART) and agile teams, ensuring that security is a continuous focus and priority. 

3. Implement secure coding practices 

Adopting secure coding practices is essential to prevent vulnerabilities from being introduced into your software and systems. Encourage practices such as input validation, output encoding, and proper handling of sensitive data – and ensure that these are built into the acceptance criteria for every epic and feature. Providing ongoing training and resources for your teams ensures that secure coding becomes a standard practice. 

4. Perform threat modelling 

Incorporate threat modelling into your development process. By identifying potential security threats and vulnerabilities early, teams can design appropriate countermeasures, and ensure that these are added to the ART backlog and architectural runway as enabling features. Threat modelling helps in understanding the attack surface and preparing for potential security challenges before they become issues. 

5. Conduct regular security assessments 

Routine security assessments are vital to identify weaknesses and vulnerabilities in your systems. Activities such as penetration testing, vulnerability scanning, and code reviews should be performed regularly – ideally as part of each planning increment (PI). These assessments help in maintaining a strong security posture to prioritise and address issues promptly. 

6. Establish secure DevOps practices 

Security should be integrated into DevOps practices to ensure continuous protection throughout the software development lifecycle. Promote practices such as continuous integration, continuous delivery, and automated security testing. This approach ensures that security checks are part of the development pipeline, identifying and catching vulnerabilities early. 

7. Implement secure infrastructure 

Your infrastructure needs to be secure to support agile practices. Follow best practices for network security, access controls, encryption, and monitoring. Regular updates and patches for software and systems are essential to protect against known vulnerabilities and emerging threats. 

8. Provide security training and awareness 

A joint study by Stanford University and security firm Tessian found that nearly 90% of cyber incidents are caused by human error. Educating all employees on cyber security best practices is crucial. Topics should include password hygiene, phishing awareness, and data protection. A culture of security awareness and accountability ensures that everyone in the organisation understands their role in maintaining security. 

9. Establish incident response and recovery plans 

Prepare for security incidents with well-defined response and recovery plans. Regularly test these plans to ensure they are effective. Define roles and responsibilities, communication protocols, and escalation procedures to respond swiftly and effectively to incidents. Consider carrying out these activities as part of your regular innovation and planning (IP) iterations at the end of each PI and include as many members of your organisation as possible. 

10. Stay informed and updated 

The cyber security landscape is constantly changing. Stay informed about the latest threats, vulnerabilities, and best practices. Regularly review and update your security policies, procedures, and controls to address new risks and ensure ongoing protection. Cyber security should be the responsibility of everyone in the organisation, from executives through your lean portfolio management (LPM) cadence and down into your ARTs and teams. 

Much of these recommendations are consistent with the agile principle of ‘prevention over detection’, as they promote catching issues early and preventing them from becoming bigger problems later. This approach aligns with the idea of ‘shifting quality left’, i.e. moving the focus to ensuring quality earlier in the software development process, which involves integrating quality assurance activities, such as secure coding practices, threat modelling, and code reviews, earlier on in the lifecycle. By doing so, potential vulnerabilities, defects and issues can be identified and addressed, reducing the likelihood of them causing problems or attacks later in production.  

Actionable takeaways 

• Incorporate security into the agile planning and execution phases. This ensures that security considerations are addressed continuously. 

• Designate and empower security champions. Their role is crucial for promoting a security-first mindset within agile teams. 

• Regularly train and update your teams on secure coding practices. Continuous education helps in maintaining high security standards. 

• Make threat modelling a standard practice in your development process. Early identification of threats can save significant time and resources. 

• Conduct frequent security assessments. Regular evaluations help in identifying and mitigating potential vulnerabilities. 

• Integrate security into your DevOps pipeline. Automated security tests can detect and fix issues before they reach production. 

• Ensure your infrastructure is always secure and up to date. Regular maintenance and updates are key to preventing breaches. 

• Foster a culture of security awareness. Continuous training and awareness programs help in building a resilient organisation. 

• Develop and test incident response plans regularly. Preparedness is crucial for minimising the impact of security incidents. 

• Stay ahead of threats by keeping informed. Regularly update your knowledge and practices to counter emerging risks. 

• Shift quality left. This helps in achieving faster feedback, reducing rework, and improving overall product quality.  

By focusing on these cyber security considerations, project professionals can ensure that their organisations not only benefit from the implementation of agile methodologies but also maintain a strong security posture. Embracing these practices will help protect your systems and data, fostering a secure and resilient agile environment. 

In the face of mounting cyber risks, organisations across sectors are compelled to adapt and improve their cyber resilience. For further guidance on integrating cyber measures into your SAFe transition, or equipping business leaders or teams with cyber skills, talk to the experts at PM-Partners. Contact us online or call our team on 1300 13 14 today. 

About The Author

Matt Sharpe

Agility Practice Lead/ Agile Principal Consultant, PM-Partners

Matt has a proven track record across multiple industries, from government and financial services to not-for-profit and media, and is passionate about helping organisations succeed through leveraging best practice in business agility, change management, digital, agile transformations, and capability uplifts. He has deep expertise across agile project, programme and portfolio management, diagnostics and assessments and extensive experience in consulting, digital strategy, BPR, analytics and project management. Matt is a Certified SAFe® 6.0 Practice Consultant (SPC), AgilePM practitioner, Lean Portfolio Manager, certified Scrum professional, CSM and CSPO.