Explore the integration of Agile and Project Management with expert David Adeoye to enhance business value, especially in cybersecurity. Discover the benefits of agile methodologies in cybersecurity projects, feature-based planning, efficient value delivery, and fostering a proactive cybersecurity culture.
Join us as we welcome David Adeoye, an esteemed guest and expert in Agile and Project Management. Discover how these two strategies can work together to maximize business value. Learn tips on adopting new ways of working and navigating complexities. Explore the role of biases in decision-making and the connection between culture and cybersecurity. Gain insights on Agile Cybersecurity and its benefits.
This week's takeaways:
- Use agile methodologies to improve efficiency in cybersecurity projects.
- Adopt feature-based thinking with versioned cybersecurity plans tied to budgets.
- Understand the problem-solving approaches of project management and agility.
- Focus on delivering value efficiently based on project context.
- Foster a culture of reporting cybersecurity issues.
- Conduct simulated exercises to improve cybersecurity mindset and incident reporting.
For collaboration or feedback on their ebook, contact them at email@example.com. Don't forget to subscribe to the podcast for more insights
Welcome to Definitely Maybe Agile, the podcast where Peter Maddison and Dave Sharrock discuss the complexities of adopting new ways of working at scale. Hello everybody, it's a pleasure to be here again for another exciting conversation about all things agile and transformation, and today we're joined by David. So, David, would you like to introduce yourself?
My name is David Adoye, I work and I live in the United Kingdom. I'm a project manager and an agile coach on the usual combinations, started off in project management, in technology and IT and cybersecurity, and of tailed into the agile world about 12 years ago when I observed some big challenges. I had heavy challenges with some products that rolled out and it was useless as built. I arrived to the market dead because the market conditions had changed. There were no subscribers anymore for the service and that began the irreconcilable moment that would lead me into the agile world. Because there must be a solution to the problem of development that waterfall introduces, where you develop over a period, you plan, you initiate, you plan, execute, monitor, control and close. By the time you're closing to deliver the products, the users moved on. Other things have happened in the market. So this began the journey to the agile development world and I've loved it. And I have the unique blessing of understanding the two worlds and the unique moment when you should use what and how to marry the two if need be, and the unique business value that that gives you is one of my strongest points. So I'm excited to be here to share and to banter with you both, peter and Dave, thanks for having me, and I'm excited.
I'm just looking forward to the fact that with bantering with Peter, I've got a backup of another, David.
I've been ganked up on that one.
Awesome, awesome I'm so much behind.
Now, David, you've mentioned some really interesting sort of almost conflicting ideas, you know project management and agility, that's very much in the news at the moment and I'm sure you've seen Harvard Business Review article recently talking about hybrid delivery and trying to bring project management and agile together, to a lot of consternation from, I should expect, people on both sides. Right, and you know there are very different things in some ways, but you also touch on things like cybersecurity and compliance. So there's this really interesting. You've got to bring all the rocks together, that bank together and cause challenges. Now what is it? Where do you start?
Yeah, project management is not an execution tool, it's a way of life, same for agility, and they don't conflict in my opinion. As a human being, you have two eyes. The eyes, by nature, don't conflict. You've got two ears. They don't conflict. It's about systems thinking and how to marry the two and to choose the occasion. The wisdom of choosing the occasion or when to close one eye and to look at an issue, or rather you have the two eyes open would affect the decision which one you should use per time. There are times when it is agile and there are times when it is waterfall, and there are unique times when both are needed. They are not conflicting because, at the end of the day, the goal is productivity. There is no formula to how we can succeed and to what degree we can succeed. We just need to be productive. What problem are we trying to solve? What are the real issues? What is the culture? What is unique environment? What are the unique challenges that we want to solve, in a creative way or not? Should we bother spending energy and time using a novel approach or should we just repeat something that is already working somewhere? Which one makes business sense and will give us ultimate value. When we have to do novel ideas, we think agility more. When we have to think an already existing idea that's templated. When you have had heavy success, you may want to waterfall it or have a mixture in iterations. When the risks are high, we are not sure about the prospect of success or failure. When market conditions are very volatile, think agility, because agility gives you the opportunity for the customer or the user to taste what you have in bits and pieces and in iterations. Features are rolled out in iterations, so you know that is a bad idea to go the nine yards or it's a good idea that the customer or the market is looking for more. So there's when to use what, and it's a rare blessing, it's a rare gift and it's a rare blessing to be able to use both or to use what it's about cybersecurity and compliance.
Again, I was going to say. Before you dive into that, David, you've just there's some great insights in just what you've just been saying. I think we will probably want to unpack some of that a little bit, and then we'll come back to the side of security, because I'm sure there's plenty there as well. Peter, before you dive in, because I'm sure you're itching to have a couple of questions here. I really liked that. I like what you're saying about that sort of the. You know needing a little bit of both and, coming from you know I've been around the agile community for 15 years and been heavily involved in that, Definitely been involved in project management along the way as well, and I find it, I think, one of the learnings the longer you are around it. It isn't an either or, and so I like that sort of appreciation of it. I think it is also not it's not true that one approach can be applied in all settings, so having that ability to move backwards and forwards, I think, is very very critical.
I agree. I agree, and the successful project of the future will be decision-led opportunities driven, not necessarily agile or hybrid. I believe we're going more towards the agile world, by the way. But the methodologies and the spin-offs, Kanban Ling, all of those things, at the end of the day, will be a function of what works. To be hard-strong on one method or one approach will be the undoing of the future of businesses. Value must drive whatever decision we take.
Just what we are finding. What works here for the problem you're trying to solve, I think is essential. I do like the way you're describing that. There is a need to understand and draw from whatever the right methods are for the problem you're looking to solve and in a situation where what you're doing is very well understood and you've got the ability to articulate what exactly needs to happen, then you can start to see what that looks like. Of course, a lot of the situations we find ourselves in not like that, especially if we're exploring new spaces or we're trying to understand or operate in the environment that we're not necessarily as clear direction that we're going in. So I do think that an interesting way of describing I thought that was quite good. It's the principles of lean and how those feed into it and where that applies and what that looks like is probably yet another deeper conversation and how all these things relate. I think maybe not exploring that as much. I think there's these pieces of then. How do you take this once you've looked at a problem and decide which method are you going to use and at what point do you make that decision?
That's a very interesting question. That is never any direct answer again To the man with the hammer. Every problem is a nail.
That's a chapter in our ebook.
It is indeed, even if it's not. Thank you so much so.
The flexibility of thinking is a place to start from the ability, the understanding that that is able to see beyond the immediate and the tyranny of the skills we have in the room. Exposure is the first tool to have, and that will not be on the date you encounter the problem. That's why I encourage agilists, who are suddenly being thrown into what I call the competency chaos. Agilists have been approached for problems they may not have capacity to solve, and that's a personal observation. It requires a lot of depth of exposure of the mind to be an agilist, and that exposure will play out when the ball is passed to you on the day a problem occurs. So are you dealing with a supply team problem? Is it a people problem or is it a combination of several things that is playing out? If it is, there's always two out of 10 problems. That is the eye of the storm. According to Pareto optimality, there's two to three core problems. If you solve them, you will solve 80% or you have 80% results. If you are able to identify that folk room, you can use lean methodology, you can use statistical analysis. Whatever means you want, make sure you do not define the wrong problem, make sure that your discovery tools are very strong. Make sure it is unbiased. Make sure that management, management, familiarity you know when you're an organization everybody sees the same thing the same way. Make sure you take care of all the biases. Test your hypothesis, do all the works that Lynn would recommend and talk to the people and observe for yourself. Observe, observe, observe Beyond what the two tell you Observe, observe, observe, ask questions. When you've taken in all of that data and you agree on the problem and you probably test the problem, then you can start. But don't go on the route where you invest too much and this is the wisdom of agility you invest too much to find out that. Someone said don't climb the ladder of success to find out you're leaning against the wrong wall, for you must come down all the way to the original base and then start to reposition the ladder and start reclining. So the key is to ensure that you got the right problem that you're trying to solve and you won't waste company resources. And there's another soft tool, one for me Should the company solve that problem or should it be ignored? Should that problem be ever solved or should it be ignored? Some companies have picked problems that ended them. They couldn't turn that bend. They were very successful once they decided to turn the bend and that was the end. So it requires a lot of care and a lot of deliberating through and it's not an exact science. I don't think anybody can beat their chests that they can solve that problem easily. It's not very easy to solve but it's possible to solve, David.
So two things jump to mind. Number one do you ever have the time to do the depth of discovery that you're talking about? Because I mean, I agree, if we know we've got Pareto principle, we break down the problems, we make sure we're focused on the 20% that solves 80%, and listen to the users, customers and so on. But in many, many situations we don't have the time. We're instructed on what we have to go work at. And then I think the second thing that comes along is in there's two very different ways of solving the problem. So if you start on the journey, the likelihood is you're not going to suddenly switch from, like, an agile way approach to solving a problem to a more project oriented approach to solving a problem. You tend to already have a map mapping out and in fact this is where those biases, that preference, comes in in many cases. So the idea that we can choose between one or the other is actually rarely. It's not always. It's a very short period of time and we're often not informed. We don't have enough information to be confident one way or the other, and I agree with you, Dave, thank you for that.
And that's why I said the recognition capability of the Agilist or the consultant or the problems over must be sharpened before the moment when you encounter the challenge. Otherwise the thinking and the exposure around the mind of the consultant must be heavy. He must be whether there's a brief on the table or not. Exposure is king, exposing one's mind to the issues of the day, case studies, causes. It's a nervous world view. In the school of business, warfare, like we always say, only the paranoid survive. So because we would hit problems in a confused state, we must have that agility of mind that comes only from exposure. After some years I told you about my telling you facilitation. After some years Now, in an entire room, I know how to suspend my bias, yet figure out what's going on quicker. I'm intrigued, so people and I talked about biases and I probably with.
The thing I recognize the most about my biases is how hard it is to suspend them. So, what's your secret source?
All biases. All biases reside in the mind. It has a look and feel and your best bet to identify it and knowing how it looks on the inside. Many people aren't aware to know how their biases look like on the inside. For example, for me, I have a bias for age. So when I see a consultant or someone in the knowledge industry who has more age, I'm prone to being biased that the person has more experience. But I have a way now of coordinating myself yet respecting the person and their experience but not forgetting to check out what is being said or done and the moment we approach money or critical decisions. I have the bad habit now of asking many stupid questions Before. I don't ask too many questions once I see you have age. But it took me some years to know that I'm biased and I co I'm biased and I could Mislead people who trust me for solution. So doesn't matter the age, whether you're young or old, and I've met young. I made a young lady who was just 27 and the kind of ideas she was spewing out I began to check out. It took me a while to know that I was biased against her because I first was too young to be given that level of money. Later, though, became good friends. She told me that she felt that by as the first day she met me she told her colleagues that that guy is biased. He thinks because maybe I'm a woman and I'm young he doesn't trust my competency. She was an SAP consultant and she had three specializations. She was s and D, she was materials management and if I, if I see you within the SAP models and I was asking so many questions because she was the lead, she was the one who brought the team, but she was done very good. She knew what she was doing. In fact, she was the reason why the project succeeded eventually. That, for me, was a big lesson. If it was an elderly man above 50, I pop not as too many questions. I've been both that way before. So, knowing that bias and the feeling this, every time you want to display bias, if Feeling will precede, there's a syntax of a bias in the mind, there's a feeling, there is a the bias as an uncle that starts from once you see that uncle, you will want to begin to act. So the key to managing your bias is to understand how that uncle is framed and what point that uncle is framed at once I recognize that I'm able to begin to deal with it once I'm able to be aware that, yes, is about to start Because it's very unconscious and very subtle. So the work of our wayness to see them and reflect constant what am I biases, what am I biases, what am I bad? Once I look at that first point, that it means easy.
Then I take things like question, I bring the question, I think it's an interesting way of looking through it and, yes, they identifying what triggers your biases is essentially what you're saying when you, when you see there is something that commonly causes you to start to behave in a particular fashion, and having that self-awareness which often it comes with experience and and Taking the time to look back at what you've done and why did I react that way.
Okay, what cause getting feedback as well? Right, Just getting the feedback and just really building that out.
Yeah, my chief, my chief bias officer is my wife. She tells me stretch your biased. She told me many years ago so your bias against young, young people, you're by run you yourself your body. You feel young people are not responsible. Like what do you mean? That's not true. She said you are, you are.
So should we, to a switch topics, explore the cyber security space? Alright, because how does that fit into all of these other things that we've been discussing?
Yes, Thanks for that question. It's, at the end of the day, there is no perfect compliance moment. Cyber security. There is no final security. There is a fallacy in cyber security world that see souls have misled businesses to believe once you spend this budget and you do these things, then you are cyber secure. No, it doesn't mean an incident cannot happen. It only means you've done what the law, for example, complains that you've done what the law says. It doesn't mean you are cyber secure. So the nature of cyber security itself is modular and is continuous, and that's agility. Right there we're complaint to this level. We will be complaint that level in the future. So, ruling out cyber security projects in a way that you feature eyes Level by level, if it's compliance, you break them down into what you can manage per time. This will we're going to be this compliant at year one, this complaint, a year two, this complaint, a year three. Based on the risks that are anticipated, on the threat landscape of the organization, based on the events and the Near bridge incidents that we have, based on the culture and the resilience, the comprehension, cyber awareness levels and the resiliency built into a network, we can select At least a measure per time. So that will be cyber secure 1.0 and then in the future we'll go to cyber secure 2.0. This allows the business not to spend too much money. That, at the end of the day because many CEOs always ask Seesaws, why am I spending this several thousands of dollars and there's no incidents it's a very, very crazy question for for Seesaws to answer.
Same on that operations. People have it's like if you spent all this money yet where nothing went wrong, I would I normally Would describe what you say if I gave you a statement along the lines of you cannot secure yourself with processing tools. The process and tools will not help you build a secure company alone. You need some process and tools. They can help, but it's the culture of the organization that's critical. Thank you. Ultimately, you need the culture, because the culture is having people have the willingness and the safety to speak up when something goes wrong, when they see something that's not safe. Since you're in London, so the announcements you have over the tannoys on the tube if you see something, say something.
And essentially you need that culture in your organization. So in your experience, what sort of methods have you gone about using to help organizations build a culture where if you see something, you say something?
Good, you measure, yes, you measure that behavior in occurrence. How many incidents did somebody see something and they said something and it can be simulated. They don't know, it's a simulated exercise. You literally cause some breaches or bring some people to do funny things. Let's see how many people will report, let's see how many people will say something like a simulation, and then we begin to measure that is cyber secure, or we call that particular parameter reporting, incident reporting, and we're going to measure that level. One out of five because out of a thousand members of staff who saw it or even aware that something wrong had happened, like somebody tailgated, I mean where the case where a CEO brought in his young daughter, we tell, getting his, used his car to swipe in and everybody at the reception did not complain, nobody reported it because he was the CEO. It's the organizational sensitivity to that height. But by the time we did the cybersecurity human firewall training, because ultimately all hacks are human and human. Number two, all hacks are financial or money driven, and or money driven, the biggest amount of crimes will go in that direction. So when we did the human firewall, which is at the best for what you have is human beings, we did some cyber awareness training. Every single person at the reception, safe for one woman who was pregnant, reported detailed getting. Now was a CFO. Who did it was an exercise. So in that area, the cultural debaim you have changed. The next question is how do we sustain that behavior? We now began to look into other things so that the people don't relapse back. So you can put that into 1.0, 2.0, 3.0. It's like having agility and the product is getting improved. The super secure levels of the organization based on human behavior is improving in terms of incident reporting. So the first key is to calibrate what a cultural behavior shift you want to see is. Then you watch out for how people respond, either by simulatization or by whatever conditions you set up. So it always gets better with more awareness and when you tell people stories and they see things that happen to others, it moves up all the time. We do a sort of similar exercises around emails. We do emails and people send emails from the CEO's email. But the Aca, the A, is a different kind of a. Many people did not notice until somebody has sent a piece of information, so we missed that one out. By the time the next one happened, it got better.
I'm intrigued, just as you're saying that. So you said something right at the beginning that has been noodling in my head and I'm just like going that's just not right. It's not right. But as you're describing what you're talking about in terms of cybersecurity and culture, I'm beginning to think maybe there's some crossover. You said at the beginning of the conversation project management and agility are different mindset and I my immediate, because you know I come from the agile space more, more strongly than the project management space. My immediate reaction in my head to that is no, they're not. Project management is a set of tools and methods and things that you can do, agile is way better than that. It's colorful, it's interesting, it has a smell to it. Whatever that this by bias is showing through, right and and what you're describing when you talk about cybersecurity is cybersecurity is a set of tools and methods and processes and so on. But it also has a way of thinking about it and thinking about it as a problem that needs to be solved. So I'm sort of answering my own biased question, if you like, which is recognizing Okay, now I can begin thinking that a set of tools and processes and methods and so on can also create a mindset and an approach, of way of thinking.
But it does take a lot of work, right?
I mean, like any, any organ, any sort of cultural shift, absolutely. You've described some of the approaches to this, peter. I don't know if you're going to agree disagree with what I was just saying.
Yeah, I agree to. There is a. There's an underlying piece which ties all of these themes together from the how you start to create that culture and organization, and we are, as we're talking about this, from Cyberscure. There's a lot of other areas around this as well that we could probably dig into, but I'm conscious of time here as well, because there are other elements of cybersecurity that also have to be considered. As we think of the overall information security space and as we start to think about how you secure digital platforms and what does that look like and what are the things we need to do in that space, as well as how the organization responds to different types of threats or different ways of how do you start to build a culture where people are actually coming through and talking about things and having them and are willing to speak up when they see things. I think it's probably a good time to start to figure out how do we wrap this conversation up. Where would we normally, David? We have these conversations. We try to bring forward like three main points that we have, and since there's three of us, we could probably each bring our own, so I'll say how about you, David? What would be your one takeaway from this conversation today.
All right. That agility can help organizations save money in cybersecurity programs and projects by selecting what features to rule out and you can calibrate behavioral, cultural nuances so that you have a version 1.0, version 2.0, version 3.0. And that can be attached to budgets and to rule out plans and programs. It can also help CSUS to select candidate intervention plans, as against the traditional waterfall where every year you ask for a budget. This time around you can tie into feature-based thinking that agile gives you the opportunity to infuse and the breakthrough thinking for cybersecurity experts and CSUS, in that you can now target improvement that way, rather than just asking for water for budget, a lot of arguments, but you can tie features on how we're improving using agility, which is feature 1, version 1.0, version 2.0. So just to say, we rule out software products. So the organization is cybersecurity at level 1.0, 2.0. It can do a compliance the same way.
Whichever way you choose, you can follow the same way, the interesting space to explore there the versioning of your company's culture. Dave, what would you take?
away. I'm referring back to some of the conversation we had earlier on and this is as I was saying, David, this is going to go around my head for a while. I'm sure Peter will end up discussing this more, but I think in many cases, how agility and how project management come together and there is definitely a friction point and I don't think it's as simple as I mentioned as an either or. I really don't find the concept of a hybrid approach being particularly useful. I think that one is a distraction in some ways, but I've really learned a lot just in terms of appreciating some of the overlap and some of the recognition that both of those approaches bring different ways of solving problems, and I really liked what you said right at the beginning. It's a focus on getting stuff out of the door that is valuable to your end user and really how it gets done. We want to optimize that, but we don't worry about what approach it is. It's going to depend on content.
Well, I'm going to pick the leaving your biases at the door, the self-reflection and getting feedback, I think is an important part to be able to identify what is triggering the particular behavior. I think along with that is listening to that feedback as well. I think is a critical piece and being open to it. Well, I'd like to thank you, David, for joining us today, and it's always good to see you, Dave, and we'll wrap it up there today, and if anybody wishes to send us feedback, they can feedback at feedback@definitelymaybeagilecom. And don't forget to hit subscribe, because we always like you subscribe.
David, thanks again.
Thank you so much.
Thanks everyone. You've been listening to Definitely Maybe Agile, the podcast where your hosts, Peter Maddison and David Sharrock, focus on the art and science of digital agile and DevOps at scale.