1Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Agile. The way to security

Antonio Ramos

2Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

3Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Table of contents

1. Risk analysis? Analysis? Are you serious?

2. Risk in complex environments

3. Agility applied to risk management

4Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

RISK ANALYSIS? ANALYSIS? ARE YOU SERIOUS?

5Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

What the f*$k?

6Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Risk Management Planning

Risks Identification

Qualitative Risk Analysis

Quantitative Risk Analysis

Risk response Planning

Risks control and monitoring

7Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Risk Management Planning

Risks Identification

Qualitative Risk Analysis

Quantitative Risk Analysis

Risk response Planning

Risks control and monitoring

8Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

But if we have never carried out a plan of this kind before, or worked in this kind of setting before, how successful can we be in anticipating

all the risks?

9Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

When we look at projects that failed, the most devastating risk factors often turn out to be things no one expected or was even thinking about

10Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

11Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

12Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

13Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Risk Management Planning

Risks Identification

Qualitative Risk Analysis

Quantitative Risk Analysis

Risk response Planning

Risks control and monitoring

14Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

15Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

R

R

R

R

R

R

R

R

R

R

16Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

BIASES

Combining probabilities

Base rate error

Anchoring

Overconfidence

Availability

Confirmation

Categorization – Law of large numbers

Representativeness

17Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

18Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

19Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

20Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

21Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Twister 564 90Fireworks 160 6Asthma 506 1886Drowning 1684 7380

Yearly death number per 200 millions people

Estimated Real

22Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

23Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

8 × 7 × 6 × 5 × 4 × 3 × 2 × 1

1 × 2 × 3 × 4 × 5 × 6 × 7 × 8

24Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

25Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

26Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

27Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

28Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

29Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

30Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

C X C X C X C X C X C X C X

C C X C X X C X X X C C C X

31Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

You’ ll like your jobYou’ ll own your own homeYou’ ll travel to EuropeYou’ ll go five years without a night in the hospitalYou’ ll have an alcohol problemYou’ ll get divorcedYou’ ll get a sexually transmitted diseaseYou’ ll have gum problems

32Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Risk Management Planning

Risks Identification

Qualitative Risk Analysis

Quantitative Risk Analysis

Risk Response Planning

Risks control and monitoring

33Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

34Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

35Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

36Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Risk Management Planning

Risks Identification

Qualitative Risk Analysis

Quantitative Risk Analysis

Risk Response Planning

Risks control and monitoring

37Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

38Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

39Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

40Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Analysis? Are you serious?

41Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

RISK IN COMPLEX ENVIRONMENTS

42Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Dave Snowden

43Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Complex Complicated

SimpleChaoticBest PracticeSense - Clasify - Respond

Good practiceSense - Analyze - Respond

Emerging practiceTest – Sense - Respond

Novel practiceAct - Sense - Respond

44Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Simple

45Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

SenseClasifyRespond

46Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

47Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Complicated

48Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

SenseAnalyzeRespond

49Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

PMBOKPMI Practice Standard for Risk Management

SEI’s SRE v2_0

ISO/IEC 16085 – 2006

ISO/IEC 27001

50Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Complex

51Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

ProbeSenseRespond

52Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

53Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

54Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

55Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Chaotic

56Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

ActSenseRespond

57Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

58Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Complex Complicated

SimpleChaotic

59Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Prioritize-and-reduce makes the most sense for well-ordered domains

The calculate-and-decide approach to risk works best in well-ordered

situations

60Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

This is really the essence of doing risk management planning in

agile: determining if we need to do it formally or if we should instead

allow risk to be addressed organically as part of the overall

process of constant inspection and adaptation

61Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

62Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Traditional Risk Management will make us overconfident when we are in complex and ambiguous situations

63Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

If we enforce traditional RM practices in complex

situations, we run the risk of imposing additional

procedures and constraints that reduce flexibility

64Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

65Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

near-misses

66Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

67Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Hypothesis

Arguments

Facts Assumptions

68Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Data

Formulate Design

Obtain

Hypothesis

Experiment

Learn

69Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

We need to develop resilience as a tactic for protecting ourselves against risk. We

need to engage in Risk Management by Discovery.

70Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

AGILITY APPLIED TO RISK MANAGEMENT

71Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

72Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

In Agile, the way addressing risk is built organically into the Agile Values, Principles and Practices

73Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Scrum

XP

Crystal Clear

DSDM

FDD

74Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Plan APlan BPlan C

75Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

76Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

77Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Original target

?

Original target

New target

78Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Original target

?

New targetNew target

New target

New target

79Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Original target

New targetNew target

New target

New target

New target

New target

New target

?

80Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

ApplyInspectAdapt

81Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

82Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

83Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

84Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

85Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

86Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

87Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

88Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

89Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

90Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Entonces, si el cliente cancela la reserva, ¿Tiene derecho a la devolución de la fianza?

No, te diré… ¿Tú qué crees? ¿Qué se van a quedar con mi pasta? Y además tendrán que darme una confirmación por email de que la cancelación es Ok!

Ya, pero el cliente tendrá que hacerlo con una antelación mínima, digo yo

91Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

92Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

93Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

94Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

95Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Early detectionInmediate responseQuick exploitation

96Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

‘Resilience’

97Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

98Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

99Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

100Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

101Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

A VIABLE organization

Less controls

An AGILE organization

More controls

A SECURE organization

102Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

A VIABLE organization

Less controls

An AGILE organization

More controls

A SECURE organization

Early detectionInmediate respondQuick exploitation

103Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

A VIABLE organization

An AGILE organization

A SECURE organization

A RESILIENT organization

104Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

105Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

106Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

107Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

108Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Co-authors

This presentation is possible thanks to Mario López de Ávila and his work and research on agile enterpreneurship

ISACA blog,”Forget the impregnable fortress approach—it’s time to adapt”http://goo.gl/NZuDU

109Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

ContactMario López de Ávila

mario.lopezdeavila@nodos.es

@mariolopezdeavila

http://es.linkedin.com/in/lopezdeavila

110Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

111Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

ContactAntonio Ramos

antonio.ramos@enplusone.com

antonio.ramos@leetsecurity.com

@antonio_ramosga

http://es.linkedin.com/in/sorani

112Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Thank you!