Digital Security

Digitally enabled security means security and compliance do not depend on specialized resources and security governance board review meetings, manual documentation and long cycle times for approvals to attest that requirements have been followed.

Security design is a given, and testing is automatable so that compliance pass/no pass is instantly available and/or actionable by a development team in a sprint. Security experts focus on strategies and enabling federated processes that support streamlining adherence rather than inspection.

Score: 100-80

Section Scoring

100 - 80 PTS

Digital product engineers can automate and otherwise act on or show that security and compliance requirements are met as part of a sprint rather than security being an inspection action after development. Compliance data gathering and auditable reporting are automated and done in real time.

Digital Execution Ready

100 - 80 PTS

There’s a strategic need to enable security and compliance automation and self-service so digital products can be launched at speed and with appropriate governance understood. Efforts to digitize a traditional security operating model expose resistance or the need for adjusting investment in security building blocks (i.e., skills, process, tools) to support the direction.

Improve this Next

80-60 PTS

Security and compliance is largely a manual process that kicks off after development is complete.

Improve this Now

60-0 PTS

Questions & Answers

The question-and-answer section outlines why the questions are important, how they are weighted, and what best practice looks like.

How do security and compliance operations impact digital initiatives?

Why we ask this:

Poorly adapted security and compliance models slow down product velocity without necessarily reducing risk and improving security compliance. At best, feature release lags. At worst, the iterative nature of sprint-based development means that code with non-compliance/security gaps might be propagated across teams or sprints, pending security cycle time for review and remediation. This makes repair and compliance testing more complex.

How we weighed this question:

Where security and compliance reviews and remediation happen and whether those processes become a bottleneck to launch are high indicators of digital capability maturity. The ideal state is security and compliance and digital development operating models work in tandem.

What best looks like:

Development and security and compliance testing activities can occur in a sprint (like a product increment) with a real-time ability to remediate. Security resources are subject matter experts that focus on high-risk remediation and then apply and automate tactics to ensure testing and compliance consistency at scale.

Next Steps:

Sponsor whiteboarding sessions with Security /IT Product Development to identify and act on the highest impact changes. Don’t wait for an end-to-end multi-year plan to be rationalized.

Do your existing security and compliance workflows enable and federate compliance over optimizing for audit and inspection?

Why we ask this:

Digital product lifecycles and Agile work management strain traditional security operating models that drive approval processes. Security compliance and the need for digital product delivery velocity cannot operate effectively if they work at cross purposes.

How we weighed this question:

Security and compliance is binary for financial institutions, so an approach that federates and automates requirements will make digital strategy and product safety part of the core.

What best looks like:

The security operating model has shifted so that digital product development teams easily translate security by design, automate compliance testing for a real-time look at issues and often can remediate issues found in a sprint. Security is engaged in digital initiative discussions. Security and other teams have transparency to compliance testing and remediation for audit and can quickly intercede to help product teams with any high-risk impediments.

Next Steps:

Work with your CISO on the highest priority changes that help make security and compliance easy to follow, automatable and auditable. You may need to start with articulating guardrails and accountability between CISO and CIO organizations.

Is security compliance automated and auditable on demand at the sprint, feature, product line and other levels as needed?

Why we ask this:

Accountability for security and compliance historically falls outside of IT developers’ purview. Moving to digitally effective requires engineering to be able to articulate security outcomes needed at their level (i.e., team, manager, executive), act accordingly and prove compliance automatically.

How we weighed this question:

Developers cannot build the right thing if they cannot articulate guardrails or what done means in terms of secure/compliant features, and support compliance in a way that is consistent, auditable and at scale.

What best looks like:

Guardrails and ownership for security compliance are understood and incorporated into design and development activities. The organization can measure security outcomes and provide on-demand views of compliance. Security is not purely an after-the-fact compliance activity.

Next Steps:

Work with your security leadership to publish requirements and build processes to measure and ensure a consistent understanding of compliance. This may start with intranet-based documentation, lunch and learns and coaching/mentoring.
Support CISO investment in tools and automation that facilitate consistent, auditable compliance at scale.
Whiteboard priority actions to begin or accelerate the process of moving security resources out of a compliance approval process guards to SMEs supporting digital development objectives, enabling tactics like automation for scale and velocity and removing/remediating risk.

Are your cloud and digital engineering teams automating security and compliance guardrails, evidence collection, and verification work?

Why we ask this:

Security automation is the easiest way to move at speed and scale consistently. This implies that security has a product management mindset to continually evaluate and develop security and compliance guardrails, evidence collection and verification in the most seamless way possible.

How we weighed this:

Automation is important but is only meaningful when the security operating model has adapted for digital product launch. Just having automation is not significant.

What best looks like:

Your security organization treats automation like a product. They own the guardrails and definition of compliance and build capabilities so that new requirements can be incorporated, dispersed product line teams can self-service testing automation and the outcome is more secure products at speed. Verification and required reporting are easily accessible, not Key Performance Indicators for security.

Next Steps:

Define low-hanging fruit investments so that digital development teams can build automated testing specific to their product and market needs in a sprint.
Work with the CISO to rationalize compliance reporting requirements so that compliance verification and reporting can be automated and available on demand.

Resources

For a deeper understanding of Product Management mastery, read these articles. They explain how to take on Product Management, the BreakFree way

Relevant Blog Posts:

Understanding Pre- and Post-Digital Operating Models

Service Requests Mentality is a Blocker to Digital

Moving into Hyper-Drive

Workbook Sections