Enterprise Agility in the Face of Rising Cyber Threats

Jonathan Sinclair, Associate Director, Cyber Security, Bristol Myers Squibb

The following piece will approach the topic of Enterprise Agility with regards to the ever prevalent and increasing pressure of cyber threats on organisations.

It will start by quickly reviewing the stance of Agile, discuss its relevance to the corporate dynamics and organisational structure, describe gaps in the mindset and processes, and conclude with the implication that without greater agility, resilience won’t be realised, and organisations will retain a ‘fire-fighting’ operational stance while facing increasing levels of internal friction while trying to pivot.

Two prevalent perspectives have matured that fundamentally shift the traditional outlook on organisational structure and direction:

1• The idea that all companies are digital companies, regardless of their business sector

2• The expansion of Agile software methods to organisational practices

These two revolutions in the Enterprise space are having disruptive implications with regards to how companies’ structure and run their businesses, and when not leveraged, will ensure the death knell for those unable to demonstrate agility.

Agile:Agile practices arose out of frustrations in the software development space in having to conform to structured development programmes (Waterfall), that prioritised planning and rigidity over adaptation and flexibility.

After significant failures of this model (Kaur, Sengupta, 2011), Sutherland and Schwaber countered Royce with the development of the Scrum process, which inspired 17 software developers in 2001 to pen the Manifesto for Agile Software Development, which laid the foundation, and provided the impetus, for today’s more successful software development and deployment (CI/CD) methods.

The evolution of this development from structured and planned, to flexible and adaptive, provides a useful metaphor for the evolving business environment, whose adherence to fixed planning and structure, a relic of the industrial revolution, has yet to have lost its shackles to the modern global environment, where opportunities and challenges resist prediction, given the stochastic landscape in which all Enterprise’s now operate.

The answer is therefore to plan for disruption, process engineer innovation and build in agility, which will ensure reducing the time required to pivot, implicitly create resilience, and ensure a competitive outlook for the organisation.

Cyber threat case study:

To exemplify the point, one only needs to look at the recent rise of ransomware threats () against organisations such as Cognizant, Travelex, Toyota, Garmin, LG Electronics, Xerox, etc.

In these cases, organisations are hit by a cyber threat that spreads, renders IT capabilities inoperable and significantly disrupts a business’ capability to function.

Although there are numerous reasons as to why the threat is able to yield this capability, the inability for an organisation to pivot digital operations to another site, cloud vendor or correctly deploy/leverage disaster recovery mechanisms, speaks to the idea that rigid design thinking regarding digital, cripples companies resilience and demonstrates poor planning and ill prepared understanding of the modern business operating environment.

Adding further context: Your CISO is no doubt advocating traditional defence-in-depth strategies, that require heavy financial investment in areas such as a security operations centre, end-point detection capabilities, hunt teams, threat intelligence feeds, anti-malware software, DLP capabilities, etc.

It will be but a few that will be advocating an agile mindset, complimented with resilient processes that plan for a defensible strategy of adaptation and ability to pivot.

The existing traditional strategies, despite a recognition to move away from the Castle-and-Moat analogy, still adhere and enforce rigid structural elements in terms of process and operationalisation, even in the case of the Zero-trust model, where the ‘trust, but verify’ adage is espoused. These models fail to significantly leverage an adaptive outlook where fail-over, non-homogenous redundancy and resilience are key. It’s not only about defence-in-depth, but also, resilience-at-scale.

It is here, that the evolving agile software development paradigm can come to businesses aid, in show- casing methods of work that have analogic synergies to business operations e.g. the rise of container- based software artifacts: Operationally self-contained units that are adaptable and can be automatically deployed, managed and linked to CI/CD workflows, etc.

If business units can take on the same dynamic behaviour of being self-contained, adaptable, and transferable while offering resilience, organisations will be in a much better place to react to the global marketplace and threat landscape.

Concerns:

Having stated the above, many reading this will probably consider it a restatement of the old organisational discussion as to whether to centralise or decentralise, and at a high level you’d be correct however, the salient difference is how processes and a complimentary agile mindset are applied.

The advocated shift of focus will not be easy to embrace and will be even harder to implement within the context of an Enterprise organisation, however the journey must be started and can be initiated with a mind-set change.

As a leader, one needs to start asking the correct questions about resilience, adaptability, and contingency.

As soon as these questions start to be asked at the top level, this will trigger an approach that will be distilled, down-stream through the organisation.

Traditional metrics like completion time, financial outlay, rigid project planning, ROI etc. require complimentary inquires that reveal the agile dimension.