Has anyone had any success integrating Security controls approval into Agile, Kanbon, Scrum, etc. Pic your flavor of accelerated, sprint-based application development? Especially when cloud-based architectures require new/major redefinition? If so, any advise on how to do it knowing the culture would prefer to eliminate security controls in the first place?
I started in my shop under waterfall however we have since changed to agile. In both scenarios, our information protection and change management teams were the key security enforcers across the corp. It is difficult for me to say Agile methodology integrates security by nature because it really is up to the development and business teams making it a priority in the form of Epic/Features/User Stories. Fortunately for us, our Information Protection team has started enforcing business and IT stakeholder sign-off on significant risks. We still use the same security assessment processes regardless of methodology. This has helped the development and business teams stay engaged with security in mind as it applies to everyone not only developers/IT.
You could scrape job boards for types of roles such as developer or devops and build a word cloud to show no one gives a hoot for secure anything, and if enterprises are not demanding it, then they surely are not building it securely.