Nigeria is ranked second worldwide, after India, in reported incidences of cyberattacks. Attackers usually exploit vulnerabilities in software which may not have adequately considered security features during the development process. Agile methods have the potential to increase productivity and ensure faster delivery of software, although they tend to neglect non‐functional requirements such as security. The implementation of government policies, such as the Nigeria Data Protection Regulation (NDPR) Act 2019, impacts the security activities carried out by agile teams. Despite its significance, there is a paucity of research on security issues especially in the Agile Software Development (ASD) domain. To address this gap, a grounded theory study was conducted with 15 agile software practitioners in Nigeria. Based on our analysis of the interview transcripts, we developed a grounded theory of the security challenges confronting agile practitioners. The four challenges identified were (a) a lack of collaboration between security and agile teams; (b) the tendency to use foreign software hosting companies; (c) a poor cybersecurity culture; and (d) the high cost of building secure agile software. We used these challenges to identify gaps within the existing secure ASD and found a lack of indigenous software hosting companies in Nigeria. Our study also revealed tensions between the Nigerian regulatory environment and agile software developers' compliance. While practitioners acknowledged the government's efforts, there were concerns about the practicality of implementing such legislation. We recommend government action to increase awareness of local software hosting companies' capabilities, and closer collaboration between agile and security teams. Thus, the novel contribution of this article is the development of the policy adherence challenges (PAC) model.