Skip to main content

Due to the Russian invasion of Ukraine, we have paused all purchases and training in and from Russia.

Scrum Master role

Last post 07:16 pm December 6, 2021 by Zacharia Stratford
6 replies
05:00 pm September 1, 2016


I have some troubles with this:

Let's imagine that we have situation when one member of development team has concerns about data security issues.
You are SM, you can pick only one solution, what you should do:

1.) Create a Product Backlog item for security.
2.) Add security to the definition of Done

Options 1 & 2 are for me equal. But one of them is better. Which one?


05:56 pm September 1, 2016

For me, the two options are not equal at all. The DoD is defined by the team. As long as that one developer is not able to underline the importance of security for every backlog item I doubt the commitment of the team is high. I even doubt that changing the DoD would be wise under those circumstances.

I would clearly prefer option 2). The PO can add it to the backlog, refine the requirements with stakeholders and the development team and finally prioritize it in the backlog according to customer value. If thereafter the awareness for security is higher, option 1) might be a second step.

08:41 pm September 1, 2016

If you are the Scrum Master, you do not pick solutions for the team. Period.

How has the Development Team member expressed their data security concerns? In a side discussion with a subset of the team? During a Scrum ceremony? During a grooming session?

What does the rest of the Development Team think? Do they concur with his concerns? What does the Product Owner think?

Regarding your question, the Product Owner owns the Product Backlog, and the Scrum Team owns the Definition of Done. Therefore, my answer is Option 3 - Neither.

12:33 am September 2, 2016

Scrum Master is not a decision maker, he acts as a servant leader who serves the product owner, team, and organization.
Assumptions; If the member has concerns about data security issue and has been raised with SM separately, then SM should guide him/ her to bring it with the team and accordingly facilitate in SCRUM Team taking the decision collectively where the PO and Development team will update their owned things PB and DOD based on the outcome.

05:08 pm September 3, 2016

I agree with Timothy the Scrum Master does not have to pick the solution and his questions proposed by Timothy are interesting.

I think as Scrum Master you could facilitate a talk in which the DT member expresses his/her concerns to the rest of the DT and the PO and having into account this security aspect is a product aspect so the PO has the last word.

11:20 pm September 16, 2016

> You are SM, you can pick only one solution...

Can you explain why you believe the Scrum Master would pick the solution, and why you believe there is only one available in the first place?

04:49 pm December 5, 2021

This is a question in the PSM1 exam. Caught me too, but now that I read your replies Im more confident that I got it right. Option 3 and 4 in the exam, in addition to what Piotr said, is 3) SM informs PO and Team and they figure it out asap. 4) cancel the sprint. There was another security question that tested similar knowledge based on what the SM should do if... Thanks for everyones insight here.