| Security in an 'AGILE' operation and consulting environment
Over the last few years more and more companies are moving toward ‘AGILE’ methodologies for consultancy engagements, which is fine, and I have very little problem with this. However, it has become more and more apparent that formally capturing risks and issues is not always completed.
On many occasions I have been told “but we do standups, and the team talks about things…” or “We have no need to capture concerns as we have dealt with them, we are running two-week sprints…”
Unfortunately, with formal certification comes formality and particularly capturing risks and issues so that they can be addressed, and continual improvement can take place. The other big issue is that your auditors will ask for evidence and traceability.
For projects over several months or years you must consider the retrospective element, it is no good getting to close a project with very little evidence of what went wrong, and the lessons learnt. I am finding this in Security, busines continuity and quality projects.