There is a balance that exists between security and functionality. The tension between the two is caused by a scarcity of resources. Money, time, and human resources are all limited, and those limits require a business to make tough decisions about what gets top priority and what gets cut.
All too many times it’s the security of a product that suffers. There are plenty of reasons for this:
- The perception that features are what sell a product.
- The thought leaders at a company spend their time dreaming up new features, not new security measures.
- Many developers and system administrators are more familiar and competent with implementing features and functions than security measures.
The central question for Information Security evangelists becomes; how do we get security prioritized equally with functionality?
Security Equals Quality
Security equals quality. That is the central point that must be ingrained at the highest levels of the company. Getting the buy in of senior management is critical. They are the folks generating the pressure and expectations around the timing and content of product releases. Their priorities are felt throughout the entire organization.
Senior management understands that quality is critical to the success of the company. Whether in manufacturing or a service industry, high quality is essential. Functionality and price may be what get a client in the door, but if the product’s quality is lacking, client retention will suffer.
We must educate leadership that quality includes security features. Such as:
- Ensures data is available only to authorized users. What would you say about the quality of a bank website that allows someone else to view your account details?
- Ensures data is not changed or deleted inappropriately. If we cannot trust that the data within the application is accurate, the application’s value is nil.
- Ensures the system is up and running when it is supposed to be. If clients cannot depend on your product to be available when you say it will be, they will find another option that will.
We lose senior leadership when we discuss the highly technical details of security implementations. Instead, speak about the tangible benefits of security improvements. Instead of, ‘I found a really cool service that will dynamically change our IP addresses if a zombie net DDOS’es us.’ Tell them, ‘By implementing this DDOS protection we ensure that our website will be able to achieve our 99.999% uptime SLA, even if we are targeted by an attacker.’ By speaking in the language leadership best understands we can help demonstrate the bottom line business impact of information security.
Provide examples of other organizations that have been stung by poor security. Find examples of organizations similar to yours that are the victims of cyber criminals. Real world examples of losses suffered by organizations in your industry can be the wakeup call that leadership needs. There are plenty of resources on the internet to help with this research. A couple pages to get you started are here and here.
Beyond converting senior leadership we need to teach the in-the-trenches managers and implementers that the quality of their product is affected by the security of the product. In this capacity, information security practitioners need to be able to speak in technical details that have practical meaning to the implementers.
In the case of the DDOS prevention tool mentioned earlier, when we explain the solution to the network administrators we want talk about how the safeguard will change our public IP address on the fly and automatically sync with DNS, and how that might affect the TTL for our domain.
When we need to talk to an application developer about injection flaws in the code, we don’t want to settle for handing them the OWASP Top 10, or a book on secure coding. Valuable information comes when we can talk about defense techniques for that specific application or areas in the application that are currently vulnerable. Click here for more info on implementing an application security program.
Both senior leadership and IT practitioners want to produce high quality systems. We probably don’t need to convince them to create quality. Instead, we need to convince them that a big part of quality is the confidentiality, integrity and availability of the system. Consumers have voted with their wallet and taught car manufacturers that reliability is expected in their vehicles. I believe information systems consumers will expect and demand systems that not only provide the functionality and features they want, but that protect their data as well. Security equals quality. High quality products at an affordable price are what every consumer is looking for.
Connect with Robb on Google+