Cyber Security

The RAPID Methodology

RAPID (Rapid Adaptation Process for IT Deployment) is an iterative, risk-based framework for rolling out IT changes — including security governance, compliance, and operational concerns. It has been in continuous use since 1992 and is the engagement framework behind every StrongCOR subscription.

Why It Exists

RAPID was conceived to solve a practical problem: helping nuclear power operators integrate Internet-connected systems into their operations without disrupting them. Operations of that class run on extensive procedure libraries that must be kept current, validated, and auditable, and any new practice had to fit the same discipline. The approach RAPID borrowed — from Rapid Application Design (RAD) in software engineering — was to break the work into short, focused cycles that produce incremental, measurable improvement.

That approach turned out to apply to SGRC programs in every sector, not just utilities. It is, at its core, the same idea that agile development, Scrum, and DevSecOps apply to software: replace the once-and-forever waterfall with short cycles that respond to what the organization actually learns.

The Cycle

A RAPID engagement runs as a chain of short cycles rather than a single long project. Each cycle:

  1. Identifies the most important SGRC issue the organization faces today, drawing on Board, management, employee, and customer perspectives.
  2. Updates the governance program document and the gap analysis against the relevant compliance regimes.
  3. Implements or specifies the change that addresses the identified issue.
  4. Validates the result — through testing, peer review, or regulatory alignment as appropriate — and feeds the outcome into the next cycle.

Cycles are triggered by real events — a new threat, a new regulation, a new business line, a failed test, an audit finding — rather than by fixed time boxes. Most engagements run four to twelve cycles in their first one to three years, then move into maintenance mode where RAPID continues in the background at a lower cadence.

What a RAPID-Developed Program Looks Like

Relevant
Built around the organization's specific business, risk tolerance, technology, and regulatory posture — not a generic template.
Adaptable
Responds quickly to change. When a threat, a regulation, or a business priority shifts, the next RAPID cycle addresses it rather than waiting for the annual review.
Continuously Validated
Each cycle produces an updated gap analysis, an updated governance program document, and evidence that the previous cycle's changes actually took effect.
Auditable
The cycle outputs are the audit trail. There is no separate reconstruction step at audit time.

Framework and Compliance Integration

RAPID integrates with the common enterprise-architecture frameworks (TOGAF, FEAF, PEAF, DODAF, Zachman) and supports every major compliance regime (GLBA, SOX, HIPAA, NERC CIP, ISO 27001, COBIT, COSO, ITIL, FERPA, FISMA, FedRAMP). A RAPID engagement can begin at any organizational level — enterprise, business unit, IT function, or an individual SGRC element — and grow outward.

Further Reading

The RAPID Practice Guide is the practitioner's reference. It covers the full methodology: origin, the cycle in detail, the characteristics of a RAPID-developed program, integration with agile / DevSecOps, and the framework mappings.

Download the RAPID Practice Guide (PDF)

Chapter 5 of Guerilla Security: The Martial Art of Information Security places RAPID in the broader context of the Three Laws of Guerilla Security, STORM risk measurement, and the rest of the governance approach that holds a real-world SGRC program together.

To discuss a RAPID engagement, use the contact page.

Simplified Total Risk Management, STORM, ATRA, StrongCOR, RAPID, and RSK are trademarks of Andrew T. Robinson.