To keep a customer’s trust risk and security is key for Financial Enterprises like ING. At the same time we want to work Agile in an BizDevOps format, because we know it gives us the increased velocity and quality of software we need. And this way of working leads to happier and therefore more productive employees. A separate security team that has to check all software before it goes into production would be a huge bottleneck, especially if you have some 150 teams building software. The only way we can maintain velocity without sacrificing our security demands is to have all DevOps teams take responsibility. Not just for the software they build and maintain, but also for the security aspects of those applications.
This can be easier said than done, especially in an Agile way of working. In this kind of environment the requirements of Risk management can easily be perceived as old fashioned and unnecessarily restrictive – a thing of the past when we still worked Waterfall. In addition, top down orders don’t work anymore. All work should be planned via the Backlog and team and Product Owner have the last word in deciding what is done in which sprint. And you can explain to the teams how important Risk and Security is, but if you can’t make it tangible are they going to remember that in the daily hectic?
To address these challenges we started our Risk Awareness Days program in 2017. During the year 5 days are set aside for all teams to work on the same Risk items. The topic for the day varies, depending on which risks are highest on the agenda at that time. Regardless of the topic a central theme is that if an engineer can engineer at a problem, he/she will understand and remember it better. And working on Risk and Security shouldn’t be a nuisance but rather a joy. After the first few days we came to a standard program that has the biggest positive effect. Both on the security awareness in the engineers mindset, but also in the number of concrete risks that were eliminated.
In this talk we discuss how we organise our Risk Awareness Days. We will take you through the standard program and why we chose this combination of increasing knowledge and practical engineering work. We discuss some of the topics we addressed, and some of the results that we can share.
Key takeaways:
• How to make IT Risk fun?
• How to challenge your engineers to stay ahead of cyber criminals?
• Can you be both Agile and in control of Risk and Security?
• How do you make Risk Management meaningful?
• Engineers should engineer – especially when dealing with Risk and Security