The following is an AI summary of the event.
This Agile Alliance Tech Talk featured Tobey Allman discussing how organizations can foster a collaborative security mindset through interactive learning—particularly via Capture the Flag (CTF) events. Allman framed security as a shared responsibility and positioned CTF as a practical, engaging, and inclusive way to build skills and trust across cross-functional teams.
Key Themes and Highlights
Security is Everyone’s Job
Allman opened by asking, “What is a secret?” to highlight how differently people interpret confidentiality, privacy, and data protection. From GDPR compliance to password handling, he emphasized that security is not just a technical issue—it spans product management, HR, marketing, developer experience, and more.
Capture the Flag (CTF) as a Learning Tool
Allman introduced CTF as a hands-on, gamified security training tool that simulates real-world vulnerability discovery and exploitation. Unlike traditional passive training, CTFs encourage participants to:
- Practice in a safe, sandboxed environment
- Learn collaboratively
- Build empathy between departments
He warned that poorly executed CTFs—especially those that create fear of failure—can backfire, reducing psychological safety and discouraging openness about security risks.
Designing CTF for Collaboration, Not Competition
Drawing from experience at CircleCI, Allman shared how pairing people from different knowledge levels (e.g., ops with marketing) created effective learning dynamics. The format emphasized shared success, not individual competition.
He outlined key success factors:
- Intentionally mixed pairs
- Prioritizing learning over winning
- Clear role expectations (e.g., strong-style pairing where the junior person drives)
- Defined logistics (tools, timezones, time blocks)
- Technical pre-checks and retrospectives
Pair Programming and Psychological Safety
The talk broadened into a deeper discussion of team dynamics, especially around pairing. Allman advocated for:
- Letting junior team members “drive” to increase engagement and learning
- Encouraging seniors to ask clarifying questions before giving answers
- Emphasizing humility, excitement, and psychological safety in all collaborations
The Security Mindset vs. Agile Mindset
One audience question explored whether the “security mindset” (cautious, skeptical) clashes with the “agile mindset” (adaptive, iterative). Allman argued they are complementary when viewed through a modern lens:
“You can’t inspect security into a system—just like you can’t inspect quality in. You build it in by fostering a culture of learning, openness, and cross-team understanding.”
Security, like DevOps, benefits from breaking down silos and encouraging whole-team accountability.
Final Takeaways
- Structure is helpful—as long as it’s flexible and team-owned. The most valuable structure is one that defines how to change itself.
- Effective pairing isn’t just for coding—it’s for collaboration. Role clarity, shared goals, and mutual respect make it work.
- Security culture starts with learning. CTFs provide a low-stakes environment for teams to explore complex problems together.
Closing Thought:
“The best pairing happens when seniors learn to teach through listening, and juniors are given the space to lead through curiosity.”
Tobey Allman closed by offering a worksheet (available via LinkedIn) for teams to self-organize around successful pairing practices and CTF planning.
