Many organizations attempt adopting DevOps and Agile practices only to crash against a compliance wall such as RMF, PCI-DSS, or even GDPR. Those who offer Agile management frequently want to sell you a brand. Even Gene Kim’s “The Unicorn Project”, shows a security officer experiencing a complete breakdown before becoming a DevOps enthusiast. It’s not that hard. After being a Product Owner on an Agile team, I transferred to a security lead, operating the Risk Management Frameworks with an org newly committed to Agile. My team worked through a mindset change without the breakdown, incorporating small compliance goals, integrating with developers, shifting security left, and building cooperative risk ownership. This session shares my experiences incorporating an Agile workplace with U.S. Governments compliance in the hope of helping others.
Dr. Mark Peters retired from the Air Force after 22+ years as an intelligence professional and now works for Technica Corporation as a Security Engineer on a US Air Force cyber weapon system acquisition program in San Antonio, TX. During his Air Force career, he deployed five times, worked with a variety of tactical and operational systems, and commanded a space intelligence squadron. He also is the author of the book, "Cashing in on Cyberpower" analyzing system-level- economic impacts of over 10 years of cyber-attacks. New to Agile and DevSecOps processes, he has worked with a variety of planning tools and remains excited by the future potential for response-based planning.