Build Better Defenses
October 29–30, 2017: Training
October 30–November 1, 2017: Tutorials & Conference
New York, NY

Sensible Conversations about security

Jim Gumbley (ThoughtWorks)
3:50pm–4:30pm Wednesday, November 1, 2017

Who is this presentation for?

  • Software development managers, product owners, managers, business analysts, security specialists, CISOs, software developers, and DevOps engineers

Prerequisite knowledge

  • A basic understanding of how Agile software development teams operate

What you'll learn

  • Explore Sensible Conversations, an iterative, workshop-based approach to getting sensible security scope into Agile software development teams’ backlogs


We want Agile software delivery teams to bake security into the work they deliver in every iteration. However, many software delivery teams struggle to make sense of security or sometimes don’t even know where to start. There are not many established good practices for getting the right scope into backlogs, beyond ensuring the necessary expertise is available.

Jim Gumbley offers an overview of Sensible Conversations, an open source, low-fi, visual, collaborative set of materials and workshops about security, and shares what works (and doesn’t), drawn from his experience working with a variety of public and private sector software delivery teams. Sensible Conversations is designed for teams who don’t know where to start with building secure systems and don’t have access to security experts. The aim is to kickstart a secure delivery cycle and reinforce the team’s muscle memory by having risk-driven conversations about what protections are required every iteration. Jim describes lessons learned carrying out the workshops and refining and iterating on the materials. He then explores the approach from a non-security expert perspective.

Photo of Jim Gumbley

Jim Gumbley


Jim Gumbley is a cyber security consultant at ThoughtWorks, where he has worked across the finance, public sector, and healthcare areas. For the last few years, he’s been focused on improving information security outcomes in Agile and Lean development projects for ThoughtWorks in London, UK.