Most organizations follow a waterfall process for this type of review, which requires either a complete Business Requirements Document (BRD) or an implemented Feature to review. To properly integrate within an agile process, organizations will need to embrace a process where reviews happen at multiple places within the process with Security and Compliance leaders working collaboratively with Business and Technical leadership to identify areas of concern with functionality defined within agile documentation.
“When creating a new model to merge agile and risk management worlds, it is important to stay loyal to agile manifesto and lean principles.”1
In a modern agile paradigm, all resources are aligned around a “business outcome mindset”. Within this mindset, the Security and Compliance leaders are valued members of the team within the Agile Portfolio and Program segments.
“As part of the transition to supporting a business outcome mindset, IT risk and security leaders must move from being the righteous defenders of the organization to acting as the facilitators of a balance between the need to protect the organization and the need to achieve desired business outcomes.”2
Part of the planning that may occur at this level relates to automated testing, which will occur later in the process. Automated security testing has become a staple of enterprise organizations. If an Epic introduces a new area of functionality which will require a new type of testing, a technical enabler3 can be created within the Portfolio for that functionality. The end goal should be a workflow that is consistent with the Continuous Delivery Mindset.