cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

Why don't people engage with security professionals early enough? Are we too stealthy?

Why is it that in some or many cases, security professionals are not engaged at the start of new initiatives either internally by their own organisations or via clients?  It is because we frighten people? Are we too stealthy?   Is it because they don't want to trouble us?  Don't know how to engage with us professionally?  Don't want to embarrass themselves by asking the wrong questions?  Don't want to spend money on security?  What drives them to these momentary moments of insanity, where someone makes a decision at the start of an engagement not to get security professionals involved?  Which normally results in a high intensity catch up and help them out of a rut or in many cases save their bacon literally?  Security is a business (business, people and technology) problem, adding additional technology, which does not integrate with the organisational security framework and how it operates, just exasperates the situation as we all know.  Answers and points of view would be appreciated.

32 Replies
bradynathan
Viewer

In financial services it is not possible to engage the security until there are deliverables for them to evaluate. The software has to be ready for testing before the review process can begin and they typically do not dedicate resources to projects. Questionnaires get submitted to a general pool of security analyst that review and make follow up requests. The developer responses then go back into the queue and a different security analyst could pick it up. This back and forth usually goes on for months and sometimes there are conflicting opinions from the security analysts that can result in rolling back.
Steve-Wilme
Advocate II

 
 Your organisation appears to have some problems.  The quality control gate at the end approach just doesn't work for the reasons you outline.
 
 
-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
bradynathan
Viewer

Not my company. This is the typical approach in the larger financial
services companies. The security teams are very stealthy about their
policies and many are based on ideas around how technology was implemented
20 years ago.