Friday, December 3, 2010

A Manifesto on Problem Solving

I have a natural tendency to be a helper, a problem solver. It drives my wife crazy when I try to solve her problems and she "only wants me to listen." I've long considered the question "what are my essential elements to effective problem solving?" What follows is my distilled "Manifesto on Problem Solving." I strove to keep it simple, straightforward, focused, and easy to remember.

  1. DON'T SOLVE PROBLEMS THAT DON'T EXIST
  2. SOLVE THE PROBLEM, NOT THE SYMPTOM
  3. CONTINUALLY TRIAGE
  4. SEEK THE SIMPLEST SOLUTION
  5. MAINTAIN THE VISION
  6. START EVERY SOLUTION WITH THE INDIVIDUAL: YOU

To explain in detail:

  1. DON'T SOLVE PROBLEMS THAT DON'T EXIST
    It sounds obvious, but it can be easy to forget and can be a temptation for those of us that enjoy developing "cool" solutions. Before I delve into lengthy and possibly expensive solutioning (in time and money), I want to make sure the problem I'm trying to solve really IS a problem. Especially if you're in the business of developing solutions, this is critically important, even to the point of being an ethical imperative where spending your client's money is concerned.
  2. SOLVE THE PROBLEM, NOT THE SYMPTOM
    Make sure you're finding the real problem, not just what initially is presented as the issue. This can take a bit of critical thinking and investigating, but can be done rapidly in conversation. I see a breakdown in this area often in organizations, especially when the root cause may be difficult to confront, e.g., an organizational culture issue rather than a process issue. One of my favorite models for this root cause analysis is the "Five Whys" of Sakichi Toyoda. Keep asking "why" each symptom happened until you reach the root cause.
  3. CONTINUALLY TRIAGE
    Always ensure you're solving the most critical issue now. The triage concept originated with French Army field medics in World War 1, and has undergone many evolutions since then, but the original elements are the same and can be applied metaphorically to any problem situation. A more modern version for use in catastrophes categorizes patients (in order of triage importance) as:
    1) those most in need of immediate care,
    2) those whose required treatment can be delayed,
    3) those likely to live, regardless of treatment, and
    4) those likely to die, regardless of treatment.
    Translated to business problems, this can be done by quickly bucketing problems into: "Now", "Next", and "Someday." Continually triaging, and prioritizing within each bucket, is the key.
  4. SEEK THE SIMPLEST SOLUTION
    My best friend is a sage in this area. I went to him one time in college because my elbow was hurting when I moved in a certain way. I said "it hurts when I do this." His response: "Well then don't do that." SIMPLE. Humans naturally add detail to anything. We find simplification far more difficult than elaboration. The simplest solution to a problem is often the easiest to implement, and will keep you focused on solving the problem rather than finessing the solution.
  5. MAINTAIN THE VISION
    Never lose sight of the goal, the vision of what you, your system, or your organization is trying to accomplish. Post it somewhere visible. Begin solutioning every time with the question "does fixing this problem serve our goal(s)?" If not, put it in the "someday" bucket.
  6. START EVERY SOLUTION WITH THE INDIVIDUAL: YOU
    When you follow this tenet, problems will be solutioned at the most basic level possible and have the best chance of remaining targeted and simple. Think about your home life: if you have a clogged drain, are you going to call the federal government for help? Of course not, that would be ridiculous. You're going to go to the store and buy drain cleaner, because you understand that's all you need. (Although if you did ask the government for help, you might see a costly commission convened to study the curve of drain piping and its effect on debris-filled water flow contributing to clogging. Maybe new regulations for plumbing would be enacted.) If you don't have the means to solve the problem, then and only then escalate it to your boss, or your municipality. Performing the same means check at each successive level will ensure that the only problems that bubble to the top of the hierarchy (like national defense to the federal government) will be those that truly must reach that level to be solved.

What tenets for effective problem solving do you ascribe to? Do you have something to add to the list? As always, I welcome your comments.

Friday, October 29, 2010

Are Your Teams “Wired for Agile?”


Agile "out of the box" looks easy. Heck, it is easy. Take Scrum: a light framework (three meetings, three roles, three artifacts) within which teams self-norm. Form a team, plug 'em in and let 'em go…success! And the business side of the house and organizational leadership just kick back and reap the benefits, right?


Wellll…no. This approach belies the social and, frankly, psychological complexity in making the move to highly functioning Agile teams and Agile organizations. If you've tried the simplistic tools/processes-based approach, you've most likely struggled or enjoyed, at best, limited benefits of Agile (the "qualified success"), whether you or your organization is aware of it or not.


When I conduct trainings or speak to groups about Agile and Scrum, I'm often asked questions like "if I have a good traditional project manager, will he/she make a good Scrum Master?" or "what kind of personality is 'right' for Agile?" These are insightful questions to ask, because the reality is Agile is not right for every personality, and not every good traditional project manager will make a good Scrum Master. For that matter, I think the reverse is often true: a team member floundering in a traditional project structure or an underperforming traditional PM may thrive in Agile. The key is digging past the nuts and bolts of Agile – the roles, meetings, artifacts, tools, and processes – into the values and beliefs shared by highly functioning Agile teams and organizations. Then, you have to decide whether your team members and organizations have, or even want, to embrace those values and beliefs. In this multi-part series, I'll be doing that deeper digging, and looking at what it really means for teams, Product Owners, Scrum Masters, and ultimately organizations to be "wired for Agile." In this first installment, let's look at the team level.


At its core, this is about the values and beliefs of team members. Your values and beliefs define how you interact with the world around you. They drive your assessment of which activities you find helpful in your workday, which you identify as impediments, and ultimately why I can present the same process to two different people, each will rate its value very differently, and they'll both be right…because it's subjective. Life coach Tony Robbins, in his series "Personal Power," talks about values and beliefs as being the drivers of your behavior. He teaches that your values define what's important to you: success, love, freedom, simplicity, transparency, etc. Your beliefs, then, are tests of whether those values are being met. Ask someone to state something they value, and then ask them "how do you know you have <the value>?", and they'll tell you the underlying belief. This is how two people can have the same values, but wildly different beliefs of what it means for those values to be met.


Take the value of Success as an example. Tony uses this example in his series. He had two attendees at a conference that both stated they value Success. When asked if they were successful, the first attendee, a corporate executive, surprisingly said "No." His definition of a success was a litany of criteria: you had to make $1 million/yr (he was something like $50k below that), you had to always be positive and never be down or depressed. The list went on and on. Tony asked the other attendee if he felt successful and the man replied with an enthusiastic "Yes!" How could he tell he was successful? Easy: he said "well, I feel that every day I'm above ground is a successful day. So I wake up, look around, and if I'm above ground, I'm successful." We see two very different belief systems feeding a shared value.


So how do we apply this to building a team "wired for Agile?" It takes more than just a cursory glance at the Agile Manifesto, but that is a good place to start. Even though the Manifesto says "…we have come to value…" what follows (Individuals & interactions, working software, customer collaboration, responding to change) is a mixture of what I term as "Ends" values (goals) and "Means" values (methods). They're not all exclusive to Agile teams, either. Waterfall PMs value the "Ends" value of working software too, for instance. But a "Means" value of customer collaboration – interaction – over comprehensive documentation won't likely be shared by lovers of documentation, as I noted in a previous blog. We have to sift through the Manifesto and then do some further digging for "Means" values that highly performing Agile teams should embrace, and what beliefs would need to be present for people to be happy working on those teams.
Here are just some of the values you should look for in choosing people for an Agile team:
  1. Collaboration: Effective Agile team members don't work in their own silos. They talk to each other, and the Product Owner, frequently. A former instructor of mine described programmers as "sitting alone in a dark room, growing mushrooms all day." Potential team members that prefer to spend 8 hours a day, every day, alone on their own tasks may not be the best choices for an Agile team. Ideally, you're going to colocate these team members. So look instead for people who value collaboration, and favor face-to-face communication over channels like email, instant message, or phone.
  2. Adaptation: Some people get very uncomfortable with change. These are people happy with predictability in their daily work. The antithesis of this might be the person who gets bored being on a maintenance project. Look for people who value adaptation, and express a belief that goes something like "I'm adaptive if I'm able to – and maybe enjoy – shifting direction quickly in response to changing conditions." If they get bored with routine, that's also a good indicator that they're right for an Agile team.
  3. Autonomy: This is a concept from the Self Determination Theory in psychology that addresses our "…universal urge to be a causal agent of our own life." In other words, "having the freedom to make your own choices." This is an important characteristic of Agile team members because we want to set the goals for them (the prioritized Product Backlog), and give them the autonomy to decide the best way to achieve those goals. But the team must still be on the hook to deliver business value, so with autonomy must come a sense of responsibility. "I like to be left alone" is not enough to tell us if a person has the right beliefs related to autonomy. Someone who says "just tell me what you want me to build and I'll build it" seems to value autonomy, but likely doesn't believe that responsibility goes with it. Keep that way of thinking off your Agile team.
  4. Transparency: On a properly functioning Agile team, there's nowhere to hide. We hold daily standups where team members talk about what they did since yesterday and what they will do before tomorrow. Teams share work in progress with the Product Owner, at whatever stage it's in. We post our progress, or lack thereof, in clear view for any passerby to see. This can be difficult, and is not for everyone. It's about daily accountability. Look for someone that favors true, honest transparency and defines it in terms of sharing daily successes and failures throughout the process. (NOTE: you have to commit to making it safe for them to share the failures). If someone tells you that the hardest thing about Agile is having to say what they are doing on a daily basis and how long it will take, they are unlikely to be happy on an Agile team.
  5. Teamwork: It's an overused term, but important in Agile. There's no such notion among Agile team members as "you failed your sprint, but I succeeded in mine." Here, you want to look for people that define teamwork as "doing whatever I need to do to help the team succeed." You want to seek, for instance, a developer who wants to help the testers test if they're behind and the developer is available. Avoid the "it's not my job" people here. In addition, look for people who like to be sociable with each other to at least some degree. These folks will spend a good amount of time interacting. If they enjoy each other's company, it will make that interaction much easier and more likely to happen.
  6. Efficacy: This can be a tricky one, but let me explain what I mean. In the field of electrical lighting, efficacy is defined as "the amount of energy service or useful energy delivered per unit of energy input." In Agile, we place high value on reducing waste and spending as large a percentage of your time as possible adding value to the product. So look for someone who has an aversion to "Process at the expense of Product." This might be someone that dislikes going to a lot of meetings in which they just sit and listen, or dislikes heavy overhead processes that take them away from developing for a significant amount of time. Avoid people that tend to call these type of meetings, even in spite of the effectiveness of the outcome. They may be overly favoring process.
  7. Simplicity: To maximize efficacy, it is wise to seek the simplest solution to a problem. People who fit this value should be easy to spot in design meetings. They'll be the ones likely, as I say, "clouding the issue with logic." Again, this can be a fine line to evaluate in someone, but people who like to spend an exceptional amount of time in elaborate design before beginning development may end up feeling pressured on an Agile team that values simple approaches and learning as they go. The adaptive approach is also known loosely as the "ready, fire, aim" approach. Tom Steele has a nice blog explaining this phrase over at the Scrum Alliance.


As I said, these are just some of the values you could look for to build a successful Agile team. I would very much like to hear yours. I welcome your comments.

Tuesday, August 3, 2010

Managing Stakeholder Expectations in Agile


When starting any new significant change in your life, its easy (and natural) to have high expectations. Whether it's starting a workout program, a new job or even a marriage, human beings tend to get caught up in the euphoria of the newness and all that the change can seemingly promise. Unrealistic expectations of (somewhat) effortless success can pervade and sometimes sabotage the effort. Transitioning from traditional Waterfall-based methodologies to Agile is no different. The promise of the "silver bullet" of Agile and common misconceptions about what Agile even is (or isn't), if allowed to persist, will make the move far more difficult than it needs to be. Let's look at some of the challenges related to stakeholder expectations in Agile and how to address them. 


Battling Misconceptions
There are some common misconceptions out there about what Agile is or is not, and you need to address these before they manifest on your adoption. Here are a few of the biggest ones:
  1. "Agile=Rapid Development" – I'm not exactly sure where this notion started, but it is even perpetuated by some Agilists in the community. This, in my opinion, is potentially the most dangerous misconception that stakeholders could have. It's the notion that because you're "doing Agile," you'll just get done faster. I argue that while this will likely end up happening in the long run, I wouldn't characterize it as "rapid development." "More efficient development" is the term I would use. Agile should end up giving the development team more value-added time by stripping away unnecessary processes and lost time from miscommunication that comes from relying on the written word. It should also give the business quicker ROI by delivering release-ready product sooner in the business cycle. But stakeholders shouldn't expect that all else can stay the same, the development team starts "doing Agile," and code will just be cranked out sooner. 

  2. "Agile=No more Documentation" – Looking at the Agile Manifesto, and the valuing of "Working Software over comprehensive documentation," stakeholders will often expect this will mean they will get NO documentation. This should not be the case. As I tell my teams, "I want you to do as much documentation as is absolutely necessary." And how/when/if you should create the document depends on the type of document it is. To look at this a little more closely, I'll divide documentation into three subgroups:
    1. Compliance – Documents required by governing bodies external to the team, be they industry regulatory governance or even internal project management office requirements. Either way, those types of documents are necessary to release the product, even if they are not part of building the product. Creating these documents should be tasked out on the Sprint backlog, even if those tasks are all taken by a B.A. or technical writer. These tasks will likely be ongoing during a sprint so as to avoid a mad rush to document at the end.
    2. Users – User guides, help documentation, etc. These types of documents also are not directly related to building the product, but necessary for release. The key to developing these documents is to generate them as late as possible in the process, so as to capture the end state of the product, rather than expending effort throughout the development cycle to continually try to capture the change. Since they aren't published until release time, all that time spent changing them is waste.

    3. Team – These documents are used by the team to document the development of the product and the technical aspects of the design. These will likely include logical and physical database models, class diagrams, design guidelines…anything you can picture would be used by designers and coders to understand how the product was/is designed and functioning under the surface. There are two keys to these documents:
      1. Have the conversation first, then document – We shouldn't assume we need all the documents we're used to generating. Teams should first talk about an issue, or approach. If they arrive at an agreement and no documentation is needed, then don't produce it. If they decide they need documentation at that point, then they've proven its validity and should task it out.
      2. Generate the documents, don't author them – Especially when we're talking system and database documentation, there are plenty of tools out there that can reverse engineer code or databases and document the end state. Spend your time collaborating and designing, then use one of these tools one the design is stable and let it do the work for you to optimize your time.
Radiating Information
Another key way to manage expectations is to give stakeholders the transparency that Agile promises. Use "information radiators" to do this. Beyond the typical burndown chart used primarily by the team to track progress towards sprint completion, consider using a burnup chart, showing the additional metric of scope change. In this way, stakeholders can clearly see the effect that adding or removing scope will have on the team's progress towards reaching their goal.




















Burnup Chart



Consider also adding the information radiators of a release burndown and velocity charts. A release burndown will simply show the amount of work remaining from the product backlog after each sprint. Used in conjunction with a velocity measurement chart of the amount of work the team completes in each sprint, simple math will give you and stakeholders the best case, worst case, and probable average for how long it will take the team to complete the work for the release.

Velocity Chart





No "Silver Bullet"

You must coach stakeholders that Agile is not a "silver bullet" that will solve all the organizational development challenges overnight. Transitioning to Agile will actually surface organizational impediments, likely starting with the most significant and painful. What the organization decides to do about the impediments is the question. As Ken Schwaber says "Bringing Agile into your organization is like inviting your mother-in-law to come live with you. She won't solve all your problems, but she will sure point them out to you." Stakeholders should expect that following the initial euphoria that often accompanies new efforts, there will likely be a time when those involved find it very difficult, and it will seem easier to go back to the old ways. It's at this time that their commitment and support will be most vital to the team, to help them push through the "valley of despair."





Expect to Communicate

Finally, stakeholders should expect to be engaged throughout the process. Collaboration is critically important to successfully adopting Agile. If stakeholders expect to be disengaged, development will be far less likely to match the needs of the business. Ultimately, Dialogue + Transparency + Collaboration = Trust…and trust between stakeholders and the team will breed the most success.

Thursday, May 27, 2010

Working without a Net: Making the Move from Traditional Requirements to User Stories


Walking across a tightrope 30 feet in the air would frighten most of us, but having a safety net might make you feel safe enough to try it. The reality is you can get hurt pretty badly in a fall even with a net, so the feeling of safety is more perception than reality.

For teams happy with the perceived security provided by highly detailed, prescriptive requirements, moving to user stories will probably feel like removing that safety net…more detail is seen as more security. But when practicing Agile, making that move is essential to shortening your timelines to release, eliminating waste in your development processes, and having more assurance that what is actually developed will more closely align with business needs and wants.

What's Your Story?
So why do Agile practitioners favor user stories? A user story is a starting point for a conversation between a Product Owner and the Development Team. It's a vehicle to express the business needs to the Team, in language that a user of the application should understand. A classic user story template has the following format:

As a [user role],
I want to [accomplish a goal],
so that [reason].

Let's examine that story template a little bit. Why is it so effective? We find an answer by looking to journalism and police investigations, to the "Five W's." In those arenas, these are essential elements of gathering or telling any complete story. You likely learned them in high school composition class, too. (The documented origins go back at least 2,000 years to the Roman orator Cicero, so it's safe to say they're time-tested.) They are the questions:

  1. Who
  2. What
  3. When
  4. Where
  5. Why
The questions are designed to bring out the expositional details in a story, effectively "the essentials." Mapping to the user story template above, the [user role] tells us "Who," [accomplish a goal] answers "What", and the [reason] addresses a key element for understanding, the "Why." The "When" and "Where" often crop up in context throughout the elements. Consider a mobile application for users to get information about your local city. As an example:

"As a city visitor,
I want to get a list of festivals during my vacation week
so I can plan my itinerary."

Who=a city visitor, (not a resident)
What=get a list of festivals for the week they'll be in town
When=(presumably) some time before their vacation week? How much before? Good question…
Where=on their mobile device (we're building a mobile app)
Why=to plan their vacation itinerary
How=??? Yes, the "How" is missing, and that is on purpose.

The story clarifies the essential elements of the goal. Notice that the "When" answer generated a question for discussion and clarification. Notice too, that no implementation details are present…there's nothing in there about buttons, links, grids, etc. The answer to the question "How do we get there?" is left up to the development team. The Product Owner owns the 5 W's, but the development team owns the "How." And in the conversations around the user story, you also end up tapping the creative minds of the developers to help shape the requirement. That input might otherwise be missed by just relying on the one-way communication of handing them the finished requirement.

"But I want my detail!"
A car salesman can show you a brochure, review all the technical specs on a car, and tell you how great it is, but only when you test drive it do you get the real feel of whether it's right for you. I tell my teams that "at some point, you will have all the detail." That's at the end of the iteration, when the feature is delivered. Only then are all the unknowns eliminated. Both Agile and traditional requirements get you to all the detail, they just go about it in different ways. Traditional requirements are most often developed completely before development begins. Detail is arrived at by people speculating, projecting, maybe wire framing, and likely guessing at what the end state of the feature will be. The challenge there is that change is a constant, so everything that changes in the end makes the upfront effort to project the end state of what ended up changing into wasted effort. In Agile, beginning with user stories, the details are arrived at collaboratively between the Product Owner and the team, building something and putting it in front of the Product Owner for a test drive, and iterating and incorporating his/her feedback until the feature reflects what the Product Owner wants.

Not All Truths are Self-Evident
To some (both business and development), moving from generating and following detailed, prescriptive requirements to using user stories and face-to-face collaboration will be liberating… "Finally!...free from all the overhead!" But for others, it will like being made to walk that tightrope without the net, and their reaction can be visceral. Some Product Owners will feel that if they don't put all the detail in the requirements, they won't get what they want, or something will be missed. Some developers actually prefer the prescriptive development model of "just tell me what you want me to build and I'll build it." If you've embraced user stories and the benefits they and collaboration offer, that way of thinking will likely make little sense to you. You may even have a deep desire to stand up in a team meeting and proclaim "We hold these truths to be self-evident, that ALL Agile tenets are created good!" But you have to understand that some people are just not wired that way. Agile is a culture and a mindset, based on the Principles and Values of the Agile Manifesto. If your Product Owner or team members don't share those principles and values, you'll have a difficult time debating the merits. Remember, all the logical arguments in the world about how user stories are better won't matter to them. We're talking about perception of security here, and possibly even emotion, so it becomes subjective rather than objective.

So how do I make the move?
It's far more difficult to get people to remove detail from requirements than to add it. When faced with stiff opposition on this front, try putting the requirements through the same processes and rigor you would use to declare a user story to be "sprint ready":
  • Engage the team in backlog grooming on those requirements. This will get the conversation between the team and business started sooner, and can open their eyes to the magic of collaboration in discovering that they need less detail spelled out in advance than they previously thought.
  • Ensure that the 5 W's are present and clear in every requirement, and that the "How to" is not.
  • Require every requirement to pass the INVEST acronym test: Independent, Negotiable, Valuable, Estimable, Sized appropriately, and Testable.
  • Make sure also that each requirement has well formed "acceptance criteria" – just a few (maybe 2-5) clearly stated criteria, expressed again in language any user can understand – that tell us when the requirement is met. It gives you a clear script to demo against in the demo at the end of the iteration.
  • The other extensive details can be covered in test cases, and their pass/fail can be reported succinctly in the final demo rather than walking through each flow in an all-day meeting.
Taking these steps to start with can start you down the path of transformation, give you some essential benefits of user stories, and overcome the objection of "working without a net." As always, I welcome your comments.

Friday, January 29, 2010

Sometimes, It's the Little Things...

Sometimes, it's the little things that make all the difference in the world for people...like the person that buys a $30k car just because they like where the cup holders are placed. Yes, I laughed at that too, but I've actually seen that happen.

Clients are people too, and I like to look for opportunities to provide a "better than expected value" for them. By that I mean, not just confining ourselves to what the SOW says we're to deliver, but other opportunities to deliver added value...whether it be handling little ancillary issues for them from a project management standpoint, or some helpful little documentation, or just a quick interpersonal check-in.

One way I go about this is I routinely (maybe daily) ask the stakeholder(s) "How can I help you? Is there anything I can do for you?" But you have to really mean it...come at it from a personal approach. The way I look at it, if it's something that lies outside of my realm of job duties, but isn't anything much to do, and helps them...it's worth a lot more in client relations in the long run than the few minutes it may take me to do. Maybe it's scheduling a meeting for them that they were going to schedule, but we're both attending, so I’ll do it. Sometimes, a client may be just overwhelmed with their workload and really flustered, and while there may not be anything I can do for them at the moment to lessen it, they appreciate just being asked. They like to know that someone just cares as a person. (NOTE: If you’re just not that kind of person, don’t attempt this. Being disingenuous with this is worse than not doing it at all)

Another way I've been doing this, as I alluded to, is supporting documentation. I’m talking about little “extras” that help the client, and might be something we would find useful ourselves anyway. By that I mean, we're not burning cycles producing some frivolous document just to provide that "added value" (i.e. make work), but something that they can actually use, but aren’t expecting...think Lean, and the categories of Value-Added, not Value-Added but Necessary, and Waste. Avoid the Waste.

Recently, I worked on a solo project for a client. There was a basic process logic flow that was an early deliverable, but there was one extra request from the client to annotate it. The annotation wasn't in the strict SOW, but I did it and in addition, color-coded the map by processing module to make it even easier to follow. As a result, It proved to be a valuable tool to for the client to easily communicate the logic of the application to both business stakeholders and technical staff. And while a lightweight technical manual was in the deliverable, I added details that weren't defined...such as including that diagram, writing detailed install instructions, etc. Again, these weren't strictly required, but were just something I wanted to include to make things a little easier, a little nicer for my client. And they appreciated it, which is what really made it all worthwhile.

Like I said, sometimes it can be those little details that really make the difference.

Monday, January 25, 2010

Microsoft’s new SDL Perpetuates Some Misconceptions of Agile


Recently, Microsoft published its updated Security Development Lifecycle (SDL), version 4.1a. It includes provisions for incorporating security tasks into Agile development, so naturally I was interested to read it. While on balance I understand what Microsoft is trying to do with this effort, I found a few misconceptions and knocks on Agile that I felt were unfair and disconcerting.
The chief misconception of Agile that I see perpetuated in this document is that Agile releases after every sprint (iteration). While this is possible, it is not necessarily the case and certainly not required by the framework.

On p. 47, in the section on “Melding the Agile and SDL Worlds,” the authors make the statement:
“With Agile release cycles taking as little as one week, there simply isn’t enough time for teams to complete all of the SDL requirements for every release.”
There are two issues with this statement, and similar statements throughout the document. First, the statement assumes a release after each sprint. Agile focuses on producing potentially releasable product in every sprint – and this is an important distinction. As you use Agile in your organization, if you don’t need to release after a one-week sprint, then don’t release. There’s no rule that says you must. Second, the statement seemingly knocks Agile for having sprints (they say “release cycles”) that are ‘too short’ to accomplish all the necessary tasks for SDL requirements. Again, there is no hard and fast rule here for Agile, other than the strong suggestion (call it a rule if you want) that sprints should be time-boxed to 30 calendar days maximum and that sprints stay the same length for consistency. But a team and Product Owner can choose a sprint length that is appropriate for their development model and business needs…if a team is choosing one-week sprints but can’t fit in security tasks deemed necessary, then the sprint timeframe needs to be lengthened.

There were also a few statements with respect to Agile and security in general with which I took exception. In the Introduction on p. 47, the authors make these statements:
“Historically, security has not been given the attention it needs when developing software with Agile methods.”
“There is a perception today that Agile methods do not create secure code, and, on further analysis, the perception is reality. There is very little “secure Agile” expertise available in the market today.”
The problem here is that the authors blame Agile methods for this shortcoming (real or perceived), and not the implementation of those methods, or rather the prioritization of the requirements or user stories undertaken in those Agile methods. If security requirements aren’t being given the attention they need, that’s flat out a failure of prioritization of the requirements by the Product Owner, not a failure of the methodology. You could conduct a sprint consisting entirely of security-related requirements, if those are the top priority, and that would be perfectly valid. Also, the very notion that there is little “secure Agile” expertise in the market is a logical fallacy called a “Complex Question”: unrelated points conjoined as a single proposition. In other words, there’s no such animal as “secure Agile.” There’s Agile. Security is but one consideration among others that can, and should, drive the prioritization of a product backlog.

I then came across this little gem of a paragraph on p. 50 of the document:
“Although SDL-Agile was designed for teams with short release cycles, teams with longer release cycles are still eligible to use the SDL-Agile process. However, they may find that they are actually performing more security work (emphasis added) than if they had used the classic, waterfall-based SDL. Requirements that a team only needs to complete once in classic SDL may need to be met five or six (or more) times in SDL-Agile over the course of a long project. However, this is not necessarily a bad thing and may help the team to create a more secure product.”
This smells to me like the framers of Microsoft SDL-Agile decided that there were certain security requirements that needed to be performed every sprint without consideration of the release schedule of the product. And, in fact, they seem to admit to as much in the preceding paragraph. This is all well and good, I suppose, if you’re OK with doing five or six times the required work for a release as you could otherwise do. But if that’s so, why would one ever choose to do that?

I’d like to offer a couple of options for the SDL-Agile folks to consider. First, remember that Agile doesn’t require you to release after each sprint, only that you produce potentially releasable product.  Second, consider using a “Release Sprint”: a sprint of those activities required before a release that may not be required in each development sprint. This could contain security-based stories as well as other typical release-related activities like, perhaps, user acceptance testing or compliance reviews. But my overarching advice to them, and to you, is to not let misconceptions of Agile hamper your implementation of it. Instead, just understand and respect the basic framework, and look for opportunities to apply the framework, principles, and culture of Agile within your organization. Do those things and I suspect that you’ll be pleased with the results.

As always, I welcome your comments.