Why is it that in some or many cases, security professionals are not engaged at the start of new initiatives either internally by their own organisations or via clients? It is because we frighten people? Are we too stealthy? Is it because they don't want to trouble us? Don't know how to engage with us professionally? Don't want to embarrass themselves by asking the wrong questions? Don't want to spend money on security? What drives them to these momentary moments of insanity, where someone makes a decision at the start of an engagement not to get security professionals involved? Which normally results in a high intensity catch up and help them out of a rut or in many cases save their bacon literally? Security is a business (business, people and technology) problem, adding additional technology, which does not integrate with the organisational security framework and how it operates, just exasperates the situation as we all know. Answers and points of view would be appreciated.
Just to maintain momentum, we are also going through an "Agile" mystic with lots of organisation, who have literally adopted wholeheartedly the concept and philosophy with their teams. So initially, they throw out the rule book, principles etc and adopt an Agile focus that the team provide the "quality", discipline and security. It is the teams responsibility during their "Sprints". Who needs security, it is in built they state from top to bottom of the organisation? So, given these parameters, how do you inject security into the whole and still maintain at a level, reduced risk and reduced costs? Or is it purely a fad? Or is their benefits in this approach and security and privacy really is the responsibility of those involved and not management? Keen to hear about others experiences
@Caute_cautim regarding your query - I think you're asking is security a senior management responsibility or something incorporated into each component/process (i.e. under an Agile framework). My thinking has always been that security is a function of quality - how well does each element execute its tasks. It's hard for me to think of a security incident that can't, at some point, be traced to sloppiness. Part and parcel of ensuring individual tasks are done right is a management level responsibility to eliminate single points of failure. In other words, total quality assumes individual failure. As such, you have to make sure an individual failure at any stage can't disrupt the entire operation. Two or three coincident failures bringing down an operation? Sure, the perfect storm can happen, but I am hard pressed to find a clear case of that.
Pulling back from all this though and asking how do we ensure quality/security, I think there is a spectrum of approaches that has at one point, very centralized operations - everything must go through a quality control function - and at the other point, very de-centralized operations - every unit does their own thing - but with very clear and enforced policy that ensures quality. I think on that spectrum of centralized to de-centralized, I think you will find security professionals moving from specialized (this is the absolute only thing I do) to generalized (I am a developer/administrator/analyst/etc. who also happens to understand security).
Absolutely, I am testing my own beliefs and abilities to be exact. I am an architect myself. We see security as part of the qualities of the entire solution design phases through to confirmation from the client. It is a Non Functional Requirement (NFR) if you like which can be measured. Good to find another like minded person.
Unfortunately, this year, already the consequences are revealing themselves in many ways. 2018 is going to be a challenging year and people and organisations will be successful or face the consequences.
Awareness, is a key reason here, people do not understand how important security actually is and how much more difficult it is to retro fit
Also people are under a general misunderstanding that security always says 'No' or adds complexity and costs to projects etc.
The basic problem is they just don't see it. Business: "We need a new system; hire a programmer" is the logical progression or lately "Go to the Cloud".
I'm beginning to believe that we have been barking up the wrong tree. We will likely all agree that we are in the risk management business. I also believe that the cyber insurance business will do a lot to improve cyber security.
Why? because the insurance industry knows how to quantify the risks and their rates will go up for poorer risks.
Along this line I think it is time to discuss the risks of not having a cyber security integrated with IT Projects with the finance department. Cost over runs, project delays, breaches, increased cyber insurance costs... If we can get the money people to start asking the projects if they have engaged cyber security, then we may get earlier engagement.
There is also another perspective as well, which has just happened to myself. A group can be so fixated on technology, that they cannot fully appreciate or understand any other perspectives at all. I.e. they don't know how people and processes work along with technology. So they remain fixated on the only thing they know best, i.e. technology. Its their comfort area, they understand it and cannot grasp anything beyond it. Very closed minded, but this is an example.
I have tried to break down the problem areas into multiple areas with some comments.
Mindset: Information Security in IT / Business is always seen as a trouble maker or that causes hindrance. This is to do with the mindset. This needs to be broken into with the notion that it is not an independent function, but more of a need and one that works in a cohesive manner.
Education: Teach / educate people about the business consequences of having a security as one of the core requirements. If it is for a C Level, they should perceive the issues and should be educated to relate to IP, Adherence, Compliance and the all the consequences associated with it. It has to be carry out without losing momentum and purpose to all the lower levels being it operations, development, support and all other supporting functions. Typically the education could be iterated to any common architectural implementation and give lots of examples for what needs to be protected and how it can be broken into. I do not want to quote examples, but it could be anything such as even building a house and protecting the valuables inside it. Be it human, money, things, vehicles etc., and explain about the iterative process right from designing the house, adding perimeter security, monitoring, installing access controls, adding safes, segregation and storing of valuables, using 3rd party services such as banks, insurance providers, personnel, vehicle and infrastructure safety measures, safeguarding information related to all access and authorization measures such as keys, passwords, vault codes, inside attacks, social engineering and anything that is there in this world. The same could be mapped to the threat modeling approach and related to what needs to be done for the business at every level. The systems that needs to be implemented to protect and safeguard the valuable information / data and the responsibilities of everyone who are involved in the process. Education goes a long way right from what as an individual - a single person could contribute and develop the personal security habits to what he does as part of his job will add to the culture of having the right security mindset and all the mentioned issues will slowly be addressed over a period of time. Enforcing without proper articulation will lead to people circumventing / not adhering to the processes.
People: Being from a programming background and subsequently progressed to an architect and higher into management, the planning was missing even in me. I used to think of ways to get away from Information Security practices / processes because it adds lot of delay and associated changes, but realized it is required for the success of everything that is related to business. As they say, human is the weakest link in a security chain, try and automate as much as possible with proper audit trails of all the activities and responsibility management. Based on the business requirements and needs, categories / segregation needs to be made with respect to the privileges and rights one shall possess to carry out their duties and it needs to be enforced to function. Bypassing / workaround on security will lead to and widespread and slow adoption resulting in with lot of troubles at a later stage.
All the information security problems can be avoided with little monitoring and a lot of educaton and cultivating the mindset. It involves all the people who could help build a secure environment, platform, business and making it more resilient to attacks.
To summarize, it is the people's mindset cultivation, education and the culture that could help to go a long way! Just my thoughts.
I wanted to write more, but the I believe the above covers the basic idea of it. It's not something new and which are not there, but, it's what came to my mind when I read the query. It is also something which I practice on a day-to-day basis and do as much mentoring to cultivate it among my peers.
Thanks and comments welcome. Have a fantastic day!
I will indeed have a fantastic day:
Interesting update to my original question via this piece:
What do you think?
It is an interesting article. Though the emphasis on identity is the focus of the topic, I believe, the various threats are seen as a medium to get to the ultimate, the "data".
An interesting analogy that mapped security to the brake of the car talks about it's functions to slow down the car, but practically brake being present will allow to drive faster. The mindset of seeing brake as a means to slow down the car should be perceived as an enabling factor which will allow to drive faster. Without brakes, you will be driving slow and carefully and cannot even stop the car when needed! 🙂
If a slightly different approach is taken to map the various factors that revolve around the protection of the ultimate (the data), it will become a easier to perceive the importance for employing security.
Just my thoughts. Comments welcome.