Agile Security Leadership

Written By Alex Serrano
It is impossible to innovate if it has to work
— Seth Godin

How do you know if you are an agile security leader in 2025?

A big question, yes. And it's a question worth asking—not because there's a checklist to complete, but because the nature of cyber leadership has fundamentally shifted. In an environment shaped by constant threat evolution (CrowdStrike, 2025), resource constraints (SecurityBrief Australia, 2024), and the need for speed without recklessness, agile security leadership is no longer optional. It's the mindset, method, and culture required to build resilient, high-impact security programs. Let’s examine a simple model that might help inform an understanding of what it means to lead with agility in today’s threat landscape.

In a volatile threat environment, static cybersecurity models fail. Agile security leadership demands a dynamic, adaptive approach, aligning technical defences and strategic foresight. This model proposes three core competencies: ORCHESTRATE, ADAPT, and PERFORM — each crucial for minimising exposure, maintaining operational resilience, and continuously evolving in the face of complex, evolving adversaries. For a fuller sense of what I mean by agile security, read this first -https://stratrisk.com.au/perspectives/imagining-agile-cybersecurity  

Key Principles

There are many ways to structure a capability to lead a security function in a complex organisation with agility, but one useful way is to think of it as exhibiting three key strategic principles: 

  • ORCHESTRATE: Pre-position your organisation with flexible, modular defences, embed governance through enablement, and scale security across teams.

  • ADAPT: Monitor threats actively and reorient defences dynamically based on real-world signals, not static assumptions.

  • PERFORM: Institutionalise continuous learning, reflection, and human-centred leadership to sustain high-performing security cultures.

Let's drill down into these principles, and see if we can get a sense of whether they have a meaning beyond mere jargon.   

ORCHESTRATE: Proactive Preparation and Assurance

“You orchestrate people, processes, and platforms—not to centralise control, but to maximise leverage.”

If you ORCHESTRATE, you lead through:

  • Designing modular, flexible security architectures.

  • Deploying layered detection and response capabilities across cloud, endpoint, and network layers.

  • Maintaining prebuilt containment and recovery playbooks assuming partial compromise.

  • Embedding security into delivery pipelines, promoting secure-by-design thinking.

  • Building guardrails, not gates—enabling decentralised accountability and autonomy.

  • Championing transparent governance rooted in real risk, not compliance theatre.

  • Using lightweight frameworks and automated compliance checks to reinforce, not restrict, agility.

What if I don't?

Without strategic orchestration, security becomes fragmented and fragile. Product or feature releases can be delayed significantly due to non-functional security requirements being identified late, leading to missed revenue and strained relationships between product and security teams. Centralised control without empowerment breeds resentment; chaos without coordination creates risk. Both lose.

And In Real Life?

The Equifax breach (2017) revealed, according to the U.S. House of Representatives Committee on Oversight and Government Reform, how a breakdown in cross-team coordination can have catastrophic consequences. Despite knowing about a critical Apache Struts vulnerability, Equifax failed to patch affected systems due to ineffective communication between IT operations and security teams, a lack of clear ownership for system maintenance, and the absence of automated asset discovery tools. The Committee found that Equifax's vulnerability scanning processes missed critical systems, and that internal follow-ups were inconsistent and lacked accountability.

These systemic coordination failures, as detailed in the Committee's report, allowed attackers to maintain undetected access for 76 days, resulting in the exposure of sensitive personal information of 147 million individuals. This case demonstrates that without orchestrated responsibility, clear governance, and transparent reporting structures, even well-resourced organisations are vulnerable to preventable disasters (Equifax Report, 2018).

Key Agile Concepts: Empowerment, ownership, secure design, enablement, traceability

Tools: Agile boards, capability heatmaps, lightweight governance, automated guardrails, Security Program oversight, security metrics.

ADAPT: Dynamic Threat Response

“Security must become agile.”

If you ADAPT, you lead through:

  • Shifting defences dynamically based on live threat intelligence.

  • Prioritising effort through quantitative risk frameworks like FAIR.

  • Abandoning outdated assumptions, pivoting to zero trust models under pressure.

  • Communicating clearly with executives and Boards using impact language.

  • Using threat-informed backlogs to align investments with evolving exposures.

  • Implementing a Cyber Strategy with long-term thinking, informed by good practices and standards, but not enslaved by them.

What if I don't?

If you fail to lead with adaptive risk awareness, you risk over-investing in low-impact areas while missing your most critical exposures. Without adaptive risk leadership, resources are wasted, and blind spots become disasters. Organisations may continue to invest in outdated priorities while adversaries exploit unseen gaps. Organisations that focus on 'chasing results' through their security efforts, such as arbitrarily defined NIST Cybersecurity Framework maturity scores, rather than focusing on adapting to the real threats the organisation faces, often fall into this trap. 

And In Real Life?

The MOVEit Transfer breach in late May 2023 exposed how thousands of organisations (Emsisoft MOVEit Breach Statistics and Analysis, 2023) relying on legacy file transfer architectures were unprepared for mass exploitation of a zero-day SQL injection vulnerability. Despite strong perimeter controls, the assumption that trusted systems were inherently safe left many blind to the risk.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), proactive measures such as minimising internet-facing exposure, implementing strict access controls, maintaining asset inventories, and applying timely patches are critical to mitigating the MOVEit vulnerability (CISA Advisory AA23-158A). It is not shown that published mitigations would have allowed organisations to avoid initial compromise - it was a zero-day vulnerability after all. However, the CISA guidance substantiates the theory that organisations practising adaptive, risk-driven controls (extrapolating from the principles espoused) would be well positioned to limit the impact of future related or similar breaches. The incident demonstrates that adaptive, threat-responsive models—not static defences—are essential to resilience.

A key lesson we can draw from events such as the MOVEit Transfer breach is that effective security leaders develop the willingness and the ability in their teams and organisations to continuously challenge the status quo posture of threats to critical assets and information. This means responding with agility (within minutes, hours and days) even once compromise has occurred. By doing this, agile organisations may take effective and deliberate steps to avoid being breached in the first place, or avoid the possible repeat of compromises through the same or similar vector in future.

For example, an agile cyber risk assessment of file sharing using MOVEit or a similar appliance may lead an organisation to avoid using File Transfer Appliances altogether, in favour of other more secure methods of transferring highly sensitive information. Alternatively, it may identify that other protective controls should be implemented to greatly reduce the risk of using such appliances, if their use cannot be entirely avoided (for example, as recommended by Mandiant in their MOVEit Containment and Hardening Guide, by more stringent application hardening controls, such as restricting inbound network communications to the appliance (Mandiant MOVEit Containment and Hardening Guide)).

A critical starting point is to determine what your critical information assets are (asset discovery), what threats they are exposed to and their vulnerabilities (impact assessment), and then to homing in on the most efficient security controls available to protect them. This approach would have helped in the context of the MOVEit Transfer breach, and in events like it. 

Key Agile Concepts: Prioritisation, threat-informed planning, adaptability

Tools: Risk scoring, FAIR models, agile risk backlogs, proactive cyber risk assessments and workshops, proactive asset discovery and impact assessments. 

PERFORM: Continuous Learning and Human-Centred Leadership

"It is impossible to innovate if it has to work.” (Seth Godin on Playing the Right Game and Strategy as a Superpower, 2023)

If you PERFORM, you lead through:

  • Encouraging individuals at all levels within the security team to take ownership and accountability for their specific areas of competency, and empowering them as much as possible (with guardrails) - as part of a strict 'no passengers' policy. 

  • Being interested and getting involved in the detail when needed or invited. Roll up the sleeves regularly and help the team ‘get stuff done’ - but don’t get in the way of the team.

  • Conducting safe-to-fail experiments and blameless retrospectives. 

  • Promoting a culture of curiosity, resilience, and psychological safety - and where it naturally emerges, a culture of care between team members - where individuals care about each other and for the team as a whole. 

  • Developing a 'social contract' (team norms) with the team that ensures every team member is invested in the purpose of the security function, feels respected as an equal, in environment where everyone abides by the commonly-agreed rules. 

  • Embedding cycles of experimentation in every team or squad's sprints or work cycles, alongside other projects or initiatives, encouraging improvements (e.g. dynamic iteration in threat hunting, detection tuning, and incident response).

  • Embedding human-first leadership practices that value intrinsic motivation, dignity, and agency - for example by making time for team-based knowledge-sharing, unstructured team interactions, and by centralising the role of coaching. 

What if I don't?

Failing to foster a learning culture can make your team brittle. Without space to fail safely and reflect meaningfully, teams don't grow—they retreat or leave. Without psychological safety and innovation, security teams become reactive, cautious, and eventually ineffective.

And In Real Life?

Twitter’s July 2020 breach showed how fragile security culture or practices can expose even technically strong organisations. According to the New York Department of Financial Services' Investigation Report, a combination of critical leadership and cultural failures enabled the incident. Twitter notably lacked a Chief Information Security Officer (CISO) at the time, and security ownership was poorly distributed across the organisation.

Twitter’s lack of a Chief Information Security Officer (CISO) and its failure to implement major compensating controls after the shift to remote work (during the 2020 Covid19 outbreak) suggest that cybersecurity risk ownership and assessment were fragmented and ineffective, according to the New York Department of Financial Services’ Investigation Report. This allowed access rights to critical administrative tools to be overly broad, with too many employees having unnecessary privileges.

There was also a systemic lack of security awareness more broadly across the business, enabling attackers to successfully carry out a phone-based social engineering (vishing) attack. Compounding these issues, Twitter lacked consistent multifactor authentication (MFA) for accessing internal systems used to manage user accounts and failed to apply strict least-privilege principles. Collectively, these deficiencies created an environment where a sophisticated but preventable breach could flourish (NYDFS Twitter Report, 2020).

A lack of a high performing security team, lack of leadership and a poor security culture in an organisation can lead to significant breaches (as the NYDFS Twitter Investigation Report suggests). However, the most likely (organisational) outcome of failing to promote a healthy high performance culture focused on the wellbeing of individuals and positive working relationships is no less toxic - stalled initiatives, work-to-rule, simmering resentments between team members, burnout, or a lack of engagement leading to half-hearted or poor quality work. All of these failures lead, at least indirectly, to security breaches, since the appropriate security controls needed by the organisation are either built too poorly, or too slowly, to stop malicious actors from achieving their purpose. 

Key Agile Concepts: Iteration, feedback loops, resilience, intrinsic motivation

Tools: Postmortems, SOAR playbooks, career development tracks, engagement surveys, security culture, security leadership. 

The Upshot

Agile security leadership is not just about reacting faster, leaping at every shadow. Nor is just a 'dressed up' way of justifying making people work harder. Instead, it's about building organisations that expect change, absorb shocks, and evolve continuously. It is, as one of the founders of the agile movement (Alistair Cockburn) put it so succinctly, the 'ability to move quickly and with ease' (Alistair Cockburn on Agile, 2001).  

ORCHESTRATE, ADAPT, and PERFORM form a dynamic leadership model that prioritises scalable preparation, threat-driven flexibility, and human-centred high performance in an environment where delay and rigidity are unacceptable vulnerabilities.

To lead in cybersecurity in 2025 is to embrace complexity with clarity, structure with flexibility, to care and put people first. For some, that might be the most confronting bit.

References

Alex Serrano
Next

We Are All ‘Cyborgs’