{"id":8096433,"date":"2025-07-09T13:28:23","date_gmt":"2025-07-09T20:28:23","guid":{"rendered":"https:\/\/agilealliance.org\/?post_type=aa_event_session&#038;p=8096433"},"modified":"2025-08-01T08:13:11","modified_gmt":"2025-08-01T15:13:11","slug":"divide-and-conquer-practicing-security-as-one-agile-team","status":"publish","type":"aa_event_session","link":"https:\/\/agilealliance.org\/resources\/sessions\/divide-and-conquer-practicing-security-as-one-agile-team\/","title":{"rendered":"Divide and Conquer: Practicing Security as One Agile Team"},"content":{"rendered":"\n<p><em>The following is an AI summary of the event.<\/em><\/p>\n\n\n\n<p>This Agile Alliance Tech Talk featured <em>Tobey Allman<\/em> discussing how organizations can foster a collaborative security mindset through interactive learning\u2014particularly via Capture the Flag (CTF) events. Allman framed security as a shared responsibility and positioned CTF as a practical, engaging, and inclusive way to build skills and trust across cross-functional teams.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Key Themes and Highlights<\/h3>\n\n\n\n<p><strong>Security is Everyone\u2019s Job<\/strong><\/p>\n\n\n\n<p>Allman opened by asking, \u201cWhat is a secret?\u201d to highlight how differently people interpret confidentiality, privacy, and data protection. From GDPR compliance to password handling, he emphasized that security is not just a technical issue\u2014it spans product management, HR, marketing, developer experience, and more.<\/p>\n\n\n\n<p><strong>Capture the Flag (CTF) as a Learning Tool<\/strong><\/p>\n\n\n\n<p>Allman introduced CTF as a hands-on, gamified security training tool that simulates real-world vulnerability discovery and exploitation. Unlike traditional passive training, CTFs encourage participants to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Practice in a safe, sandboxed environment<\/li>\n\n\n\n<li>Learn collaboratively<\/li>\n\n\n\n<li>Build empathy between departments<\/li>\n<\/ul>\n\n\n\n<p>He warned that poorly executed CTFs\u2014especially those that create fear of failure\u2014can backfire, reducing psychological safety and discouraging openness about security risks.<\/p>\n\n\n\n<p><strong>Designing CTF for Collaboration, Not Competition<\/strong><\/p>\n\n\n\n<p>Drawing from experience at CircleCI, Allman shared how pairing people from different knowledge levels (e.g., ops with marketing) created effective learning dynamics. The format emphasized shared success, not individual competition.<\/p>\n\n\n\n<p>He outlined key success factors:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Intentionally mixed pairs<\/li>\n\n\n\n<li>Prioritizing learning over winning<\/li>\n\n\n\n<li>Clear role expectations (e.g., strong-style pairing where the junior person drives)<\/li>\n\n\n\n<li>Defined logistics (tools, timezones, time blocks)<\/li>\n\n\n\n<li>Technical pre-checks and retrospectives<\/li>\n<\/ul>\n\n\n\n<p><strong>Pair Programming and Psychological Safety<\/strong><\/p>\n\n\n\n<p>The talk broadened into a deeper discussion of team dynamics, especially around pairing. Allman advocated for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Letting junior team members \u201cdrive\u201d to increase engagement and learning<\/li>\n\n\n\n<li>Encouraging seniors to ask clarifying questions before giving answers<\/li>\n\n\n\n<li>Emphasizing humility, excitement, and psychological safety in all collaborations<\/li>\n<\/ul>\n\n\n\n<p><strong>The Security Mindset vs. Agile Mindset<\/strong><\/p>\n\n\n\n<p>One audience question explored whether the \u201csecurity mindset\u201d (cautious, skeptical) clashes with the \u201cagile mindset\u201d (adaptive, iterative). Allman argued they are complementary when viewed through a modern lens:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cYou can\u2019t inspect security into a system\u2014just like you can\u2019t inspect quality in. You build it in by fostering a culture of learning, openness, and cross-team understanding.\u201d<\/p>\n<\/blockquote>\n\n\n\n<p>Security, like DevOps, benefits from breaking down silos and encouraging whole-team accountability.<\/p>\n\n\n\n<p><strong>Final Takeaways<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>Structure is helpful<\/em>\u2014as long as it\u2019s flexible and team-owned. The most valuable structure is one that defines how to change itself.<\/li>\n\n\n\n<li><em>Effective pairing<\/em> isn\u2019t just for coding\u2014it\u2019s for collaboration. Role clarity, shared goals, and mutual respect make it work.<\/li>\n\n\n\n<li><em>Security culture<\/em> starts with learning. CTFs provide a low-stakes environment for teams to explore complex problems together.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>Closing Thought:<\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cThe best pairing happens when seniors learn to teach through listening, and juniors are given the space to lead through curiosity.\u201d<\/p>\n<\/blockquote>\n\n\n\n<p>Tobey Allman closed by offering a worksheet (available via LinkedIn) for teams to self-organize around successful pairing practices and CTF planning.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Discover how Capture the Flag exercises can foster a collaborative security mindset, strengthen agile teams, and turn learning into a shared organizational advantage.<\/p>\n","protected":false},"author":8033092,"featured_media":8096047,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","categories":[904,182,918],"tags":[],"event_session_cat":[],"session_aud_level":[],"event_session_type":[],"content_source":[1618],"event_session_tags":[],"class_list":["post-8096433","aa_event_session","type-aa_event_session","status-publish","has-post-thumbnail","hentry","category-business","category-community","category-framework","content_source-agile-tech-talks"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/agilealliance.org\/wp-json\/wp\/v2\/aa_event_session\/8096433","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/agilealliance.org\/wp-json\/wp\/v2\/aa_event_session"}],"about":[{"href":"https:\/\/agilealliance.org\/wp-json\/wp\/v2\/types\/aa_event_session"}],"author":[{"embeddable":true,"href":"https:\/\/agilealliance.org\/wp-json\/wp\/v2\/users\/8033092"}],"replies":[{"embeddable":true,"href":"https:\/\/agilealliance.org\/wp-json\/wp\/v2\/comments?post=8096433"}],"version-history":[{"count":1,"href":"https:\/\/agilealliance.org\/wp-json\/wp\/v2\/aa_event_session\/8096433\/revisions"}],"predecessor-version":[{"id":8096434,"href":"https:\/\/agilealliance.org\/wp-json\/wp\/v2\/aa_event_session\/8096433\/revisions\/8096434"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/agilealliance.org\/wp-json\/wp\/v2\/media\/8096047"}],"wp:attachment":[{"href":"https:\/\/agilealliance.org\/wp-json\/wp\/v2\/media?parent=8096433"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/agilealliance.org\/wp-json\/wp\/v2\/categories?post=8096433"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/agilealliance.org\/wp-json\/wp\/v2\/tags?post=8096433"},{"taxonomy":"event_session_cat","embeddable":true,"href":"https:\/\/agilealliance.org\/wp-json\/wp\/v2\/event_session_cat?post=8096433"},{"taxonomy":"session_aud_level","embeddable":true,"href":"https:\/\/agilealliance.org\/wp-json\/wp\/v2\/session_aud_level?post=8096433"},{"taxonomy":"event_session_type","embeddable":true,"href":"https:\/\/agilealliance.org\/wp-json\/wp\/v2\/event_session_type?post=8096433"},{"taxonomy":"content_source","embeddable":true,"href":"https:\/\/agilealliance.org\/wp-json\/wp\/v2\/content_source?post=8096433"},{"taxonomy":"event_session_tags","embeddable":true,"href":"https:\/\/agilealliance.org\/wp-json\/wp\/v2\/event_session_tags?post=8096433"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}