Agile Security and Compliance Prioritizes People Over Process
Some people might question whether security and compliance issues can be managed effectively within an Agile framework. However, Christa Meck, IT manager at Kasasa, believes that the security of sensitive data is fundamental to the Agile way of thinking. On September 17, 2019, in Austin, Texas, a panel of Agile and technology experts will gather for a TechDebate to discuss this issue of agile security and compliance. Christa will be moderating the panel; I had the chance to talk with her to get a preview of some of her thoughts.
Could you help set the stage for our conversation by briefly describing Kasasa’s business?
We are in the FinTech space, which is a fancy way of referring to the usage of technology by financial services companies to improve delivery of products to their customers. Specifically, we help small banks and credit unions create products and capabilities that a small bank or a credit union wouldn’t have a budget or a team to create on their own.
The financial services industry is obviously heavily regulated. We’re not quite audited at the same level as a bank or credit union, but we’re getting closer. Most of our past offerings were more on the marketing side, with a lot less regulatory exposure. This is changing as we deepen our product and service offerings within the industry.
Do you see a fundamental tension between the Agile methodology and these more rigorous regulatory demands?
I don’t think so. The Agile manifesto prioritizes people over process. In today’s world, every bit of information about you is housed within databases somewhere—your data residing within various financial institutions is certainly not an exception. If we are prioritizing people over process, we have a responsibility to make sure this information is protected at all costs.
When we think about prioritizing people over process in the context of the Agile manifesto, we often think about our team, our reports, our customers—those directly within the sphere of our work. However, within the financial services sector—and many other industries, for that matter—we must think of “people” in a broader context. When we are storing names, social security numbers, birthdays, phone numbers, and many other pieces of highly sensitive information, we need to think about people over process in a broader sense.
We have to make sure that, whatever processes we invent to do whatever we’re doing, we’re also being mindful of the people at the same time. Thinking about the issue in this context illustrates how security and compliance are not at odds with Agile. Rather, security and compliance are fundamental to Agile.
Technology companies tend to gravitate toward prioritizing new product features over the security and compliance side of the business. What are your thoughts on this?
I joke that it’s the Eye of Sauron. Sauron is, of course, the main antagonist of J. R. R. Tolkien’s The Lord of the Rings. When the Eye is looking at you and you have his focus, you can do all the things. Earlier this year my team, our security team, and our cloud infrastructure team were very focused because the Eye was upon us to pass an audit. Thus, there was a lot of focus, there was a lot of energy, and there were a lot of resources at our disposal to make sure we successfully passed the audit. After we passed the audit, the organization became more product-focused. However, although product focus is what drives company revenue, there are times when a security and compliance focus is more important.
How has cloud computing affected your security and compliance practices?
It’s interesting, because on one level the cloud has made things easier, and on another level, it has made things really hard, especially in the financial services space.
It’s challenging to explain the Amazon cloud to a small community bank. The leadership of a small bank likely knows little about current cloud computing security and is taken aback to think about all of its customers’ data being on someone else’s servers in this mysterious cloud. This makes it tough for our team to make customers feel comfortable.
On the flip side, this has made things on the infrastructure side way easier because cloud tools integrate easily. All I do is buy the tools and specify how many licenses I need, and I don’t have to worry about the servers. The cloud provider builds a database, and we start filling it with data.
There’s a single sign-on—one user, one password—and you can sign in from anywhere. Again, structurally, it has made things a lot easier and has also removed some of the security burdens from us.
However, if I am going to upload a bunch of data to Salesforce, for instance, I need to count on Salesforce to do what it needs to do to keep my data secure. So picking new vendors within the cloud environment is a lot more challenging because we have to do a lot more digging. What providers are the main service provider working with, and could there be a breach somewhere down the chain? We have to work to understand how the lead solution provider is managing any supporting providers it is using.
The cloud is also very helpful for experimentation or temporary work. I can spin something up or pass or fail proof of concept very quickly. This said, Amazon cloud storage costs a lot of money, and sometimes people do proof of concept stuff but don’t clean up their trash. The next thing I know, I have a huge Amazon bill because a query that went bad that’s been racking up CPU cycles like nobody’s business.
It also goes back to paying attention to what we are doing and who we are doing it for and making sure that we’re always paying attention to the right stuff, whether it’s Agile-manifesto-based or not.
Sphere Software (https://sphereinc.com), is the sponsor and organizer of Techdebates.org and also finds great value in these follow-up discussions with industry experts. Sphere is a technology consulting and solutions company. Everything we do is designed to accelerate your business, remove technical constraints and eliminate staffing bottlenecks.