Agile, Waterfall or Pragmatic?
Delivery methodology is a hot topic in most project environments, but in defence and secure government programmes, it takes on a different weight. This isn’t just about which framework you favour, it’s about how you adapt that framework to meet the demands of a risk-conscious, process-heavy environment that prizes assurance as much as output.
Agile may be the fashionable choice, but it rarely fits out of the box. Waterfall feels dated, yet it offers a degree of structure and traceability that secure clients often demand. Somewhere in the middle lies the reality, a more pragmatic, tailored approach that borrows from both while fully aligning with the expectations of MOD or government stakeholders.
Agile in Secure Contexts: A Square Peg?
Agile works best in environments where collaboration is easy, requirements evolve fluidly, and users are actively involved. But when you’re delivering inside restricted networks, across multiple security domains, or into systems that require formal accreditation before they can go live, that level of agility can prove challenging to maintain.
Daily stand-ups lose their rhythm when key team members don’t share the same clearance. Sprint cycles drag when product owners sit behind firewalls or can’t review artefacts in real time. And quick-turnaround changes, which Agile thrives on, often get bogged down in security sign-offs, impact assessments and governance boards.
That doesn’t mean Agile has no place. It just means it has to flex. In practice, that might mean maintaining a backlog but gating changes through formal approvals, or delivering in iterations while aligning each increment to a pre-approved set of controls. Agile can work — but it needs to be structured, documented, and deliberately tempered.
The Enduring Utility of Waterfall
Waterfall’s strength lies in its predictability. In high-assurance environments, where full system designs must be signed off before anything gets built, and where test plans must map tightly to requirement sets, its stage-based progression offers a level of control and visibility that clients often find reassuring.
Many defence organisations still favour this approach — not out of habit, but because it ensures due diligence at every step. In these cases, moving too quickly or iterating without documentation isn’t seen as innovation — it’s seen as risk.
Of course, the rigidity of Waterfall can become a problem, especially in longer programmes where evolving threat intelligence or policy changes may shift priorities mid-stream. In those cases, a pure Waterfall approach can feel too slow or unresponsive. That’s where a hybrid model begins to make sense.
Pragmatism Over Purity
Hybrid delivery is sometimes treated as a compromise, but in reality it’s a discipline in its own right. It involves knowing which elements of Agile can work in a secure context, and which elements of Waterfall are non-negotiable.
For example, upfront discovery may follow a Waterfall-style phase to support business cases or satisfy procurement protocols. Design and build may borrow from Agile, working in controlled sprints that allow flexibility within a tightly governed framework. Testing and assurance, meanwhile, often revert to Waterfall — structured, formal, and fully traceable.
The key is in the choreography, switching between approaches must be intentional, not reactive. Clients and stakeholders need to know what to expect, how progress will be reported, and where accountability lies throughout.
Culture and Capability Matter
Choosing the right delivery model isn’t just about the project. It depends on the client’s culture, the operational context, and the experience of the delivery team. Some MOD departments are more Agile-aware than others. Some expect detailed documentation at every stage, while others allow a little more latitude provided the outputs are assured.
It also depends on the capability of the people running the project. There’s little value in pushing an Agile approach if your team lacks the access, tooling or trust to iterate effectively. Likewise, rigidly sticking to Waterfall in a rapidly evolving cyber context can result in missed opportunities and frustrated stakeholders.
At Logiq, we’ve delivered programmes where Agile principles were used inside heavily constrained environments, and where sprint cadences were built around access windows and classified facility schedules. These weren’t textbook projects, but they succeeded because the approach matched the environment, not the other way around.
Adaption and Interpretation
Project management methodology isn’t then, a badge of honour but it is a means to an end. In secure delivery, it’s not simply a case of Agile vs. Waterfall. It’s earning confidence, maintaining control, and delivering outcomes that stand up to scrutiny.
The best teams don’t choose a method and apply it blindly. They adapt, they interpret and they understand that methodology, like security, works best when it supports the mission — not when it gets in the way.
Related Links:
