In this episode, Eric Landes addresses a question he received while delivering a class on Applying Professional Scrum. The student was a security specialist and was trying to figure out how Scrum teams handle the work needed to maintain security and compliance. 

If you are interested in attending Scrum training, check out our public Scrum training courses.

How Does Security Fit into a Scrum Team?

When conducting Scrum training, teams ask about different roles and how they fit on a team that only has developer, Scrum Master, and Product Owner accountabilities.  It is a valid question, when I introduce the Scrum framework, it can be confusing how current jobs fit into the Scrum framework accountability.

The good news is that the Scrum framework talks about accountabilities, not job descriptions.  So, the writers of the Scrum guide understand that existing job roles are not necessarily supplanted by the accountability.  But Scrum does say that your Scrum team needs to be able to complete their work to make it potentially shippable.   A student asked how it could be shippable without their security group, InfoSec approving this.  This specific organization, had to have a security review before any release could make it to production.

How does the Scrum framework handle these organizational constraints?  The Scrum guide says "Scrum Teams are cross-functional, meaning the members have all the skills necessary to create value each Sprint."   And the Scrum team self-manages to make sure they have the right capabilities for the team. 

The Scrum guide is lightweight and not very prescriptive as you have probably noticed.  I would answer that question using my experience, letting your team self-manage with this information.  Practically speaking here are four ways your team could practice that self-management to help with this question:

1. Add someone with security expertise to your team - The team would coordinate with the folks in charge of security to add that skill set to the team.  This would involve coordinating when that person would be needed.  
2. Have someone knowledge transfer with security people - Similar to number one, by having a security expert work with the team for a sprint or two, knowledge transfer can happen.  A team member volunteers to learn, the security folks agree on when this can be done, and now your team has someone with the skills to get those security policies implemented.  The security Infosec team can now work with other Scrum teams to help them add these skillsets.
3. Add security policies to your definition of done - Adding security checks to a team’s Definition of Done might help the team by providing guidance as to what can be done.  In combination with 4, this might have the least amount of time spent learning for the team.
4. Security gives teams automation to do security checks. - If your security organization is creating automation to validate security issues, your team should use this.  So, a conversation or two or more, with the security folks is needed to validate what tools are available for your team.  This could be the least intrusive option for your team.

These are 4 options that your team may want to adopt to help with Infosec or security requirements on a Scrum team.  Your team may self-manage to a better option for your organization.  Discussing what can be done within the team is a great first step!

Want to Learn More or Get in Touch?

I’d love to hear what you think. If you have a question or a comment, please email us at [email protected].

For more information on AgileThought's available courses, go to agilethought.com/services/training-certifications.  This information is also available on the page of this podcast.  Thanks for listening!

 

From