Skip to main content

Scrum Master role

Last post 07:16 pm December 6, 2021 by Zacharia Stratford
6 replies
05:00 pm September 1, 2016


I have some troubles with this:

Let's imagine that we have situation when one member of development team has concerns about data security issues.
You are SM, you can pick only one solution, what you should do:

1.) Create a Product Backlog item for security.
2.) Add security to the definition of Done

Options 1 & 2 are for me equal. But one of them is better. Which one?


05:56 pm September 1, 2016

For me, the two options are not equal at all. The DoD is defined by the team. As long as that one developer is not able to underline the importance of security for every backlog item I doubt the commitment of the team is high. I even doubt that changing the DoD would be wise under those circumstances.

I would clearly prefer option 2). The PO can add it to the backlog, refine the requirements with stakeholders and the development team and finally prioritize it in the backlog according to customer value. If thereafter the awareness for security is higher, option 1) might be a second step.

08:41 pm September 1, 2016

If you are the Scrum Master, you do not pick solutions for the team. Period.

How has the Development Team member expressed their data security concerns? In a side discussion with a subset of the team? During a Scrum ceremony? During a grooming session?

What does the rest of the Development Team think? Do they concur with his concerns? What does the Product Owner think?

Regarding your question, the Product Owner owns the Product Backlog, and the Scrum Team owns the Definition of Done. Therefore, my answer is Option 3 - Neither.

12:33 am September 2, 2016

Scrum Master is not a decision maker, he acts as a servant leader who serves the product owner, team, and organization.
Assumptions; If the member has concerns about data security issue and has been raised with SM separately, then SM should guide him/ her to bring it with the team and accordingly facilitate in SCRUM Team taking the decision collectively where the PO and Development team will update their owned things PB and DOD based on the outcome.

05:08 pm September 3, 2016

I agree with Timothy the Scrum Master does not have to pick the solution and his questions proposed by Timothy are interesting.

I think as Scrum Master you could facilitate a talk in which the DT member expresses his/her concerns to the rest of the DT and the PO and having into account this security aspect is a product aspect so the PO has the last word.

11:20 pm September 16, 2016

> You are SM, you can pick only one solution...

Can you explain why you believe the Scrum Master would pick the solution, and why you believe there is only one available in the first place?

04:49 pm December 5, 2021

This is a question in the PSM1 exam. Caught me too, but now that I read your replies Im more confident that I got it right. Option 3 and 4 in the exam, in addition to what Piotr said, is 3) SM informs PO and Team and they figure it out asap. 4) cancel the sprint. There was another security question that tested similar knowledge based on what the SM should do if... Thanks for everyones insight here. 

By posting on our forums you are agreeing to our Terms of Use.

Please note that the first and last name from your member profile will be displayed next to any topic or comment you post on the forums. For privacy concerns, we cannot allow you to post email addresses. All user-submitted content on our Forums may be subject to deletion if it is found to be in violation of our Terms of Use. does not endorse user-submitted content or the content of links to any third-party websites.

Terms of Use may, at its discretion, remove any post that it deems unsuitable for these forums. Unsuitable post content includes, but is not limited to, Professional-level assessment questions and answers, profanity, insults, racism or sexually explicit content. Using our forum as a platform for the marketing and solicitation of products or services is also prohibited. Forum members who post content deemed unsuitable by may have their access revoked at any time, without warning. may, but is not obliged to, monitor submissions.