Information Security as the Status Quo
How do you view information security in your organization:
- A department that is always on your case to improve your systems?
- A compliance team who hands you a list of requirements you have to meet?
- An essential part of the quality of the work you create on a daily basis?
Effective information security is not a program that’s forced upon system administrators, developers and DBAs by an external department. Effective security is created, implemented and maintained by the technical folks who create and manage the systems and applications themselves.
In order to achieve a secure environment we need to move beyond the outdated model that goes something like this…
- System is created to meet functional requirements with no consideration given to security
- System is evaluated by InfoSec as a step before going live or while in production
- InfoSec reports their findings and requests that system owners remediate
- Systems owners have to balance these new security concerns against deadlines and resource constraints
- Security may or may not be fixed, depending on who wins the argument
This model has the dual honor of being both widely adopted in all types of industries, and wildly inefficient and wasteful. It requires multiple revisions to the system and fosters an “us versus them” mentality.
A better model of system design looks more like this…
- Provide training and guidance to systems creators.
- Systems are created with both functional and security requirements in mind.
By moving our security discussions from later in the process to earlier, we enable our technical folks to do stuff right the first time. This allows for appropriate project scoping, scheduling and expectations for everyone. Nobody likes to be told they did a job wrong, but that’s what so much of our current information security model is built on.
Success is achieved when security becomes the norm. Until creating secure systems is the expected behavior, we will continually fight a losing battle against our technologists. The key is getting them to accept security as the status quo, and the key to that is in getting their bosses to buy-in to the mission of information security.
Getting management’s buy in is essential to making an organization-wide change to information security’s role. Until the managers, directors and senior leadership begin to see security as essential to the success of their products, we will forever go on battling to get security countermeasures thrown in after the fact. The primary directive of information security practitioners in that type of environment is to evangelize security as far up the food chain as possible.
For more read Robert Lemos’s article “Turn Workers into Security Partners.”
Connect with Robb on Google+