Orange County Chapter

Program, January 2010

Agile Security

Monday, January 11, 7-9 pm

Israel Lopez has produced a video recording of Peter's presentation. In addition, we also have a straight audio recording of the meeting.

The January program in Orange County will feature Peter Schawacker who will speak to us about how he's using Agile project management to build security operations and intelligence analysis centers.

Some IT security pioneers are have started adapting Agile management techniques long used by the world's best manufacturing companies to more effectively introduce and implement security solutions that better meet customer needs. One such application of Agile is a simple, light-weight framework known as Scrum. This presentation is a brief introduction to Scrum and how it can be used within Information Security programs.

The primary goal of Scrum is to enable teams to deliver what customers (internal and external) want, frequently and predictably. It provides a system for facilitating rapid change in environments where requirements are emergent and therefore difficult to anticipate. We will begin with a brief report on one team's experience adopting Scrum to build a Security Operations and Analysis Center at a large company. Then we will discuss of principles of Agile and why they are so well-suited to Information Security. Finally, we will provide a sketch of how Scrum works.

"People, Process, and Technology" is a theme that echoes throughout our industry. It is ironic that the first of these three words is the one about which we as Information Security professionals understand the least. We are confident about our grasp of Process and Technology. The IT industry has at its disposal plenty of technological tools and a rich body of knowledge on how to design, maintain, and optimize processes. But so far, the People aspect of our work remains relatively mysterious. How do we cope with inadequate staffing, uneven distribution of information, shaky morale, interdepartmental mistrust, and shifting needs for specialized knowledge? How do we surmount the walls that separate Information Security from "The Business"? There is no technology that will make security experts out of business owners, nor is there a tool that will make Information Security experts understand the crucial aspect of the business. We need better ways to get people to collaborate -- to build mutual trust between all aspects of the business.

Agile is an approach to managing complex development efforts. It has been used to stunning effect in creating software. Agile's roots are in Lean -- the basis of the Toyota Production System that revolutionized the automobile industry and many others. To casual observers, Agile and Lean are merely process and technology methodologies. But in fact they work by changing people's attitudes toward collaboration and true customer satisfaction. (The essence of Lean is the relentless pursuit of perfection, which, like Information Security is an unobtainable absolute.) If delivering value to our customers is important, what can we learn from the world's most successful companies? Can Lean/Agile be used to the same effect in Information Security?

Peter Schawacker, Principal Consultant for Security Operations Center Consulting, is Alchemy Security's Senior SIEM and SOC specialist and resident Agilist. He helps large enterprises and government organizations create Information Security analysis capability. Currently, Peter is building a SOC at the Bank of Canada in Ottawa. Before that he was the SOC Program Manager for Hydro-Quebec in Montreal, Canada. Prior to joining Alchemy Security, Peter ran SIEM and SOC projects at the Southern California Metropolitan Water District in Los Angeles and at Estee Lauder in Long Island, New York. He has made key contributions to SOC and related Information Security projects at major companies including ISS, NFR, McAfee, First Data Corporation, Qualcomm, and Citigroup, where, in the late 1990s, Peter led the bank's first 24/7 network intrusion detection and vulnerability management team. Prior to that, Peter was an early employee of EarthLink where he worked as a technical writer and NOC analyst. He has spoken at Information Security conferences worldwide. Peter has also served as a technical editor for Wiley Publishing and freelance reporter. When not globetrotting the world, Peter calls Los Angeles home. These days Peter blogs at www.alchemysecurity.com.

Back to the UUASC Orange County overview