Securing Cyberspace: Waterfall or Agile? Determining the Right Fit for Your Company

In the ever-evolving landscape of project management, in each branch, before any business change, there comes a valid question: Which approach would be the most suitable?  

As organizations continually strive to optimize productivity, efficiency, and project success, the choice between a broad spectrum of methodologies has become a critical decision-making point. If we take a closer look at cybersecurity in OT, usually one methodology is being considered- Waterfall. Agile, on the other hand, is hardly considered. It is known to be suitable only for IT projects, but is it truly so?  

These distinct approaches represent divergent philosophies and execution strategies for handling projects across various industries.


The traditional Project Management approach, often associated with the Waterfall method, follows a linear and sequential model, wherein each project phase flows logically from initiation to completion. It emphasizes meticulous planning, a comprehensive scope, and strict adherence to timelines. Waterfall is often preferred for large-scale, well-defined projects with a stable scope and clear objectives. However, the rigidity of this approach can pose challenges in dynamic environments where unforeseen changes and iterative development are necessary.

On the other hand, Agile Project Management is a relatively new methodology that has started to become more and more popular outside of classical software development during the pandemic. It prioritizes flexibility, collaboration, and iterative progress and is especially recommended for small and medium-scale projects. Agile methodologies, like Scrum or Kanban, encourage adaptive planning, continuous feedback, and regular stakeholder involvement. The iterative nature of Agile allows teams to respond swiftly to changing requirements, thereby fostering enhanced adaptability and customer-centricity.

Acknowledging this piece of theory about both practices may already lead to premature conclusions about which method should be picked out, as nowadays, everybody puts an emphasis on flexibility and responsiveness. Nothing could be more wrong. Reality is, as always, different. Firstly, a question about the approach toward common project variables (time, cost, quality, and scope) needs to be asked. Therefore, in Waterfall, we can find out that only scope is being defined from the beginning and not “to be touched” during the project. Other characteristics are changeable, despite claiming in the previous paragraphs that, for example, time is rigidly fixed. Everything can be adjusted via change requests, so in the end, the project costs are usually more than expected or last longer, or - horror of horrors - the quality is met only halfway. Who has not experienced something like this? Feel free to raise your hand. No one? I thought so.

On the contrary, in Agile, the scope is the only variable not fully defined upfront. In the principles of this methodology, we can read: “Deliver on time “or “Never Compromise Quality.” If those things will not be met, then this is the moment in which the Agile project ends itself. This is a guarantee for the customer that those parameters will not be exceeded. When it comes to the cost, it is fixed at the beginning of each timebox (planning phase) with no possibility of being changed. It all seems too good to be true, and then our choice is practically obvious, but is Agile really effective when it comes to cybersecurity projects like building an OT strategy?

In BxC, we believe that understanding the strengths and limitations of each methodology is crucial to making an informed choice that aligns with the unique needs of a project and the overall organizational goals. Taking that into consideration, the best solution would be to create and act within a hybrid framework. 


Agile methodology offers a compelling solution for projects, particularly in the dynamic realm of cybersecurity, where change is constant and adaptability is paramount. Day in the life of a cybersecurity specialist, it doesn’t matter in which position, includes non-stop evolving threats, and often changed regulatory landscapes.

When talking about building a cybersecurity strategy, it may seem at first as a classic example of how to use waterfall methodology when one has to prepare a detailed plan and put a lot of effort into it. Instead of spending so much time on the organization, alignment, and creation of a roadmap in order to put it later into practice, this seems to be a good example of the usage of the Agile approach. When the scope is not precise, it is good to determine it piece by piece, not all at once.  

By employing Agile sprint cycles, typically spanning between 2-4 weeks, tangible solutions emerge incrementally. In cyber-environments, it would make more sense to extend the duration of the timeboxes to 8-10 weeks. OT security projects are often complex and require considerable coordination between different teams. Extending the duration of the timeboxes allows more time for planning, execution, testing, and validation, which can help to reduce the risk of errors and help to ensure that the solutions are secure. Unlike the rigid waterfall model, where solutions are revealed only at the project's conclusion, Agile delivers functioning outputs at regular intervals. This not only provides early value but also forces management to think about essential security measures sooner, mitigating potential risks that might otherwise linger until project completion. As a result, long-term vision is not being lost, and milestones are being achieved with every sprint. The "fast to fail" principle inherent in Agile methodology is particularly valuable, which is not present in the waterfall. Cybersecurity strategies must be effective from the outset, and Agile iterative nature allows for rapid testing and validation. If assumptions prove incorrect, Agile enables immediate course correction, saving precious time and resources.


Once the strategy is developed, there comes a time for implementation. For such a complex project, as the theory of this methodology suggests, the usage of a waterfall approach would be beneficial. In this phase, an exhaustive outline of the steps is required. The scope is already set and not to be changed. All one must do is implement what has been developed in the previous stage.  

Later, if there would be any need for change in the strategy as per new regulations, threats, or ideas, it would be recommended to use Agile once again. In a quick and efficient way, all required changes would be addressed as part of new sprints. 


Hybrid approaches can help the organization achieve its goals faster than in the case of using only one. For cybersecurity experts within companies facing relentless pressures, Agile is not just a methodology; it's a strategic advantage. 


The effectiveness of the hybrid Framework lies in its ability to leverage the strengths of both waterfall and agile methodologies while mitigating their weaknesses. By combining these two approaches, organizations can tailor their project management strategy to the specific needs of cybersecurity projects, such as building OT strategy.

Waterfall's linear model prioritizes comprehensive planning, which is ideal for large projects. But it falters in dynamic scenarios. Agile, with its flexibility and collaboration, suits smaller projects. The hybrid framework integrates both, providing both adaptability and structure.

For cybersecurity projects, especially those involving critical infrastructure such as operational technology (OT) systems, having a well-defined scope is critical to ensure the security and stability of the environment. Waterfall's emphasis on careful planning and comprehensive scope definition can be very beneficial in this context. The hybrid approach allows organizations to set clear objectives and requirements from the outset, reducing the risk of overlooking critical security issues. At the same time, the iterative and adaptive nature of Agile can be particularly valuable in the dynamic and ever-evolving field of cybersecurity. The ability to respond quickly to changing threats and emerging vulnerabilities is essential. Agile's emphasis on flexibility, collaboration, and continuous feedback allows cybersecurity teams to remain nimble and adjust their approach as needed to effectively address new challenges. The Hybrid Framework combines meticulous waterfall planning with agility. This synergy ensures clear objectives and reduces security oversights.

By integrating the upfront planning and scope definition of waterfall with the responsiveness and adaptability of agile, the hybrid framework promotes a balanced and effective project management approach for cybersecurity initiatives. It provides a structured foundation while allowing room for necessary changes and enhancements throughout the project lifecycle.


The psychological aspect of the Agile methodology in the Hybrid framework fosters a collaborative working environment where sponsors, stakeholders, and project teams work towards a common goal. This approach not only drives project outcomes and ensures customer satisfaction but also fosters a continuous cycle of improvement through failure-feedback learning. Unlike the traditional waterfall model, where feedback comes at the end of the project, Agile's iterative nature allows adjustments to be made during each sprint and retrospection, channeling knowledge into subsequent timeboxes for rapid implementation. Furthermore, the visibility of work results and immediate impact in a short span of time adds another layer to the equation. This clarity of purpose boosts team morale as tangible progress towards a clear goal becomes a motivating force.

In conclusion, the psychological facet of the Agile methodology goes beyond simply fostering sponsor engagement and team collaboration during project delivery. It acts as a powerful antidote to potential client dissatisfaction by immersing them in every phase of the process, from inception to culmination. This continuous involvement fosters a sense of belonging and ownership, significantly reducing the likelihood of dissatisfaction and fostering deep client relationships. As a result, this psychological underpinning resonates throughout the results and strengthens the foundation for success.  

The project team is empowered to make decisions during timeboxes; therefore, people feel more accountable for their work, and planning is more realistic. Not only this boosts morale, but it also influences a subconscious sense of ownership. Agile methodology invokes simple psychological processes occurring in all of us.  

It lies in human nature that if we feel that something belongs to us, we care more. Isn’t this right?


The choice between methodologies is not just a matter of preference but a strategic decision that shapes the success of projects. By embracing the hybrid approach that fuses the strengths of Waterfall and Agile, organizations can navigate the complexities of cybersecurity initiatives with confidence. This approach not only streamlines planning and ensures well-defined scopes but also provides the agility needed to respond swiftly to emerging threats and challenges.

In the end, it's not just about methodologies; it's about fostering a culture of collaboration, adaptability, and ownership. As organizations embark on the journey of securing their cyber landscapes, they must remember that technology alone cannot suffice. The human element, the psychological connection that Agile fosters is what truly transforms projects into success stories. With the hybrid approach, cybersecurity becomes more than a task; it becomes a shared mission that unites stakeholders, sponsors, and project teams toward a common goal. As the digital realm continues to evolve, this approach will undoubtedly stand as a beacon guiding organizations through the intricate maze of cybersecurity challenges, armed with the precision of Waterfall and the agility of Agile.