Why is it that in some or many cases, security professionals are not engaged at the start of new initiatives either internally by their own organisations or via clients? It is because we frighten people? Are we too stealthy? Is it because they don't want to trouble us? Don't know how to engage with us professionally? Don't want to embarrass themselves by asking the wrong questions? Don't want to spend money on security? What drives them to these momentary moments of insanity, where someone makes a decision at the start of an engagement not to get security professionals involved? Which normally results in a high intensity catch up and help them out of a rut or in many cases save their bacon literally? Security is a business (business, people and technology) problem, adding additional technology, which does not integrate with the organisational security framework and how it operates, just exasperates the situation as we all know. Answers and points of view would be appreciated.
It is easier to ask for forgiveness later than to get permission first.
I didn't want to be told no.
You guys always kill or slow down our projects.
Oh. I forgot.
Those 4 excuses are what I hear the most. So we have to get away from being known as the department of "No!". You have to start becoming an innovative security practitioner and finding ways to get invited to the early meetings. Make yourself available. Ask that you be brought in early and if you are needed you can bow out gracefully.
Great question.
All the "excuses" you list as questions are valid, and happen frequently.
For thousands of years, security types have had these issues. This is nothing new with cybersecurity
We are seen as door stops, speed bumps, naysayers, doomsday preachers, fanatics, weirdos, paranoid reactionaries, hall monitors, nannies, scolds, project-stoppers, gadflies, and a few other terms I've heard. It's not insane. It's actually quite normal.
I am sure the Head of Security for the ancient town of Jericho had to reproach the king and say, "Seeeeeeee? I told you those blasting horns would be a problem when Joshua showed up. But did you listen? Nooooooo."
We all recognize that built-in security if far more cost-effective than security bolted on later. It's a wonderful maxim, but, unfortunately, most security policy (and technology) is written in blood.
Mc
@CISOScott wrote:It is easier to ask for forgiveness later than to get permission first.
I didn't want to be told no.
You guys always kill or slow down our projects.
Oh. I forgot.
Those 4 excuses are what I hear the most. So we have to get away from being known as the department of "No!". You have to start becoming an innovative security practitioner and finding ways to get invited to the early meetings. Make yourself available. Ask that you be brought in early and if you are needed you can bow out gracefully.
Great to hear from a live and kicking CISO from your perspective and I hope it elicits more constructive comments. Because without full and honest disclosure, between all parties, someone is going either lose their job, or the organisation is going to suffer a set back, they did not plan for at some point in time. Unfortunately, the probability is sooner than later. Well, as you state we have to be more innovative. Hey guys, we could be saving you tonnes of money and making the organisation far more productive, efficient and efficient and by the way resilient, so you can keep going, if we agreed to work together and be engaged.
@jmccumber wrote:
We all recognize that built-in security if far more cost-effective than security bolted on later. It's a wonderful maxim, but, unfortunately, most security policy (and technology) is written in blood.
Mc
AH HA! We have hit the nail on the head. Security Policy is sometimes too rigid and if we follow it to the letter of the law (exactly as it is written) then we tell people no. I think we need to move to more of a risk based decision model. Have the ability to adjust as needed (provided you have the experience or have shown in the past, good judgement) or elevate to the decision makers to accept the level of risk. The DoD started going to this model in 2016 and I think it will help mend those fences we broke in the past by being too rigid.
I agree, if you take the exponential growth in technology, digital transformation and breadth of innovations and the various demands of IoT, privacy by design and the many untold implications of what appeared to be a good idea at the time. Unfortunately, in general; humans learn in a more linear, phased approach, it can take time to adapt our thinking. Almost, as though we need to re-learn to learn, but we also need to make space in our demanding days to give us, the ability to rethink rather than rush head long from one issue to another.
We definitely, need to take a more fluid risk based perspective, static is out, dynamic and innovation is definitely in. However, even in an Agile adopted organisation, somethings need to be built-in, reviewed and re-checked and even to our best efforts and intent, some things will and do slip through the net. Therefore I agree we need to be more adaptable, rather taking the rigid approach of old.
@Caute_cautim wrote:Why is it that in some or many cases, security professionals are not engaged at the start of new initiatives either internally by their own organisations or via clients?
Ask a home improvement contractor how many times they are brought in to finish/fix some homeowner's attempt. Now bear in mind you are dealing with an area a lot more tangible and regulated than that broad umbrella that we call "technology." Ultimately whether you are talking a small business or a multi-national conglomerate, we love to leap before looking. But the issue isn't that developers or executives don't come to "us" earlier. It is that our skill set is not part of their training and experience. While the world will always need security specialists just like it will need building inspectors, the mistake is thinking security is some discreet process or product - like spraying fabric protector onto shirts or jeans after they roll off the product line. Just like contractors spend years developing the training and experience to do things correctly, technologists should be doing the same. However, instead the model tends to be upside down. We first start using technology with no clue what we are doing - as we now see schools shoving tablets in front of kindergarteners and parents eating it up. As kids progress through their learning, in regard to technology, they are typically surrounded by people less adept than they are with the resources. In the work place, entry-level positions all focus on technology or service delivery, not on security because that is an "advanced" topic. Isn't that a little backward? Shouldn't the entry-level requirement be a good security foundation, then after that, we learn how to manage that router, mail server, etc?
If only we set out and engaged with the business owners, to understand what are they attempting to solve, what the priorities in terms of of alignment with the business strategy, objectives. But also to take a more holistic perspective rather than concentrating on the technology. The technology or services, may be a tool to resolve the business problem. But in deploying it, shouldn't we fundamentally review whether the benefits are fully obtained and potentially any implications of doing it this way too. It's rather like a vendor rolling up to an organisation, telling all and sundry that their approach and solution will solve all their problems. The majority, may go with the flow, i.e. what I call the group think or caught in a lobster pot thinking mode and purely accept what they are saying for expediency purposes. We need to give ourselves the room to think, keep evolving, and learning even as you state - from the floor up. The fundamentals should be your essential baselines, seldom do these changes in terms of principles and methodology. Yes, we need more appendices, the younger the better and grow them into the role, as they mature.
short answer - security will too often say no. Longer answer, security says no for a reason, not because we enjoy it, but because there is a risk associated with doing it your way. So engage security early on and after a few iterations, you will understand what some of the concerns are and in the future, will be better prepared and the delay will be minimal.
I have been doing a lot of third party assessments / due diligence projects and people were always complaining that I needed documentation rather than just sign off on a purchase. A few years later and some bad apples weeded out among third parties, they now understand that the additional two weeks of prep work will save a lot of headaches later on.
Great questions...good to see that others feel my pain.
I jokingly have a quote for Cybersecurity, "Cybersecurity Black Ops...Things just happen"
The way i try to attack this issue is to say "cybersecurity is the bridge to help your organization be successful". I'm constantly involving myself between the development and operational departments to ensure Cybersecurity is involved throughout the life cycle of a project. Its a constant challenge but in our worl we have to be the masters of change.