Imagining Agile Cybersecurity

The Inspiration

When seventeen software engineers met at Snowbird, Utah in February 2001, they felt compelled to respond to what they saw as an intractable impasse in technology at the time. At the time, demand for new software was peaking. However, engineers felt they could not deliver on its promise due to antiquated, hierarchical, and rigid development practices. Projects were failing - running over time, over budget, or both. Results fell short of expectations. Something had to give. After many discussions, and time on the ski slopes, they produced the Manifesto for Agile Software Development. This watershed moment triggered a revolution in software design and development – one that endures to this day.    

In cybersecurity, we face our own impasse. Organisational dependencies on IT are increasing. Cyber threats are worsening. Meanwhile, team sizes are stagnating or shrinking, along with budgets. Security people are increasingly overworked and stressed. Adversaries are becoming nimbler and more effective - and the cyber breaches they cause, more devastating.

In 2025, faced with our own intractable impasse, we should be inspired by those technologists that met to collaborate in Snowbird, almost a quarter century ago. I believe it is time for us to reimagine how we protect what we care most about. Eliminating task drudgery. Extracting the value of our investments. Unleashing our teams. It is time for Agile Cybersecurity.

The Need for Agile Security

Cybersecurity teams today face a rapidly evolving threat landscape. Attackers operate with an agile mindset—adapting tactics, leveraging AI and automation, and exploiting vulnerabilities faster than traditional security defences can respond. For most organisations, cyber security budgets are rationalised, if not increasingly constrained, meaning smarter decisions need to be made about what to protect, and how. Security leaders no longer have the luxury to ‘buy everything, implement everywhere,’ even at the largest enterprises where it might once have seemed possible. Meanwhile, security teams remain bound by rigid processes, excessive documentation, and isolated decision-making structures. Security professionals are becoming more and more overworked, stressed and, in extreme cases, burnt out.

It doesn’t have to be like this. When the traditional ‘command-and-control’ approach patently no longer works (or doesn’t work well enough), cybersecurity practices must adapt.

But what is agile? "The ability to move quickly and with ease (Getting to the Heart of Agile by Alistair Cockburn)". 

Recent reports indicate a dramatic acceleration in cyberattack speed and sophistication. According to the CrowdStrike 2025 Global Threat Report, in 2024 the average breakout time for adversaries—how long it takes for an attacker to begin lateral movement within a network—has dropped to 48 minutes, with the fastest recorded at just 51 seconds. Just a year prior, the average breakout time was 62 minutes. Meanwhile, the 2024 Data Breach Investigations Report (DBIR) highlights a 180% increase in the exploitation of vulnerabilities as the 'critical path action' to initiate breaches. These statistics underscore the growing agility of attackers and the urgency for security teams to match their pace.

But teams, already at their limit workload-wise, overwhelmed by context-switching, and lacking useful tooling and automation, struggle to do that. The price is ‘more (and worse) breaches’.

What is Agile, Really?

When we run into seemingly intractable problems, creative dead-ends, and blockers to productivity, it is time to reinvent the accepted wisdom of how things must be done. 

This is as true for us now as it was for the seventeen experienced software practitioners that gathered at Snowbird, Utah, in February 2001. Frustrated by the failures of traditional software development to meet increasing demands for faster and more fit-for-purpose solutions, and inspired by the Lean Movement and Just-in-Time (JIT), they were prepared to confront some 'sacred cows' and forge a new path. 

The result was not a prescriptive method for building software, but rather an agreed set of principles collectively defined in the Manifesto for Agile Software Development

Emphasising flexibility, collaboration, and responsiveness, it presents four key values:

  1. Individuals and interactions over processes and tools

  2. Working software over comprehensive documentation

  3. Customer collaboration over contract negotiation

  4. Responding to change over following a plan.

Translating Agile Values to Security

You can’t enforce agile, or direct your security team to be agile. A fake or half-hearted effort at change won’t survive the first challenge. And we know that cybersecurity environments are not short of challenges.

Similarly, Agile Principles need to be understood thematically, and in context, before they can be successfully applied. This must be done with guidance, patience, and care.

Cyber teams can effectively incorporate agile ways of working when they start to adopt four points of emphasis:

  • EMPHASISE HUMANS: security remains essentially a 'human' domain, both on the side of the adversaries and the defenders of systems and data. It is essential to unlock and leverage the specialist expertise of individuals within security teams, and to leverage the outsized benefits that come from enhancing collaboration and knowledge-sharing within technology and security teams.

  • EMPHASISE ACTION:  cyber threats emerge faster than they can be dealt with by security teams when there are too many bottlenecks and barriers that must be traversed before action can be taken, whether this is related to documentation of threats, or chains of management review and approval. With appropriate guardrails in place, security team members need to be empowered to be able to respond to incidents as they emerge and to demonstrate appropriate levels of autonomy. An 'action-bias' is essential. 

  • EMPHASISE COLLABORATION:  There are too many choices to be made, and the decisions too complex, for security teams to make decisions in isolation about what services and data to protect, and how to protect them. A security team that is isolated from the wider technology team and the business it supports will fail, since technology, the business, and threat actors all move too fast. Security teams will never be big or resourced enough to design, implement or maintain security controls independent of the wider organisation. 

  • EMPHASISE FLEXIBILITY: Plans are needed for establishing a security strategy that implements standards, good industry practice, and critical security controls. This takes time, focus and consistent effort over months, quarters and even years. Nevertheless, the increasing nimbleness of threat actors, and constant innovation in attacks and exploits mean that the security team needs to be ready to pivot at all times - to modify priorities, to respond to emergent threats, all while never losing sight of the bigger picture.

‘Agile’ is Not a Dirty Word

Adopting agile in security practices does not mean abandoning strategy, planning, and the pursuit of good practices. It does not mean ignoring the need for well-defined, accountable, auditable controls. It is a true red herring to imply any longer that agile and flexible ways of working cannot co-exist with the most rigorous, standards-based security management discipline. I argue that in the real world of managing for cyber threats we must have both, rather than an ‘either / or’. Control flows from implementing agile in a smart way, not by ignoring the need to embrace new ways of working - especially when the rules of the game have changed.

If you want to do things differently, but can’t stand the word ‘Agile’, or it is a word freighted with negative connotations in your organisation, just make the changes anyway and call it something else. Simple.

Embracing Change

When seventeen software engineers met at Snowbird, Utah in February 2001, they felt compelled to respond to what they saw as an intractable impasse in the technology industry at the time. There they produced the Manifesto for Agile Software Development, and so brought about a profound revolution in the management of technology that resonates to this day.

Inspired by their example almost a quarter century later, I believe it is time for us to do the same in our constant efforts to protect the most critical information, assets and capabilities. I believe it is time for us to embrace Agile Cybersecurity.

References

  1. Getting to the Heart of Agile by Alistair Cockburn. Retrieved from https://youtu.be/sr5wfygbY7k?feature=shared

  2. The Agile Alliance. Manifesto for Agile Software Development. Retrieved from https://agilemanifesto.org/

  3. CrowdStrike. 2025 Global Threat Report. Retrieved from https://www.crowdstrike.com/global-threat-report/

  4. Verizon. 2024 Data Breach Investigations Report (DBIR). Retrieved from https://www.verizon.com/business/resources/reports/dbir/

Previous
Previous

We Are All ‘Cyborgs’