Announcements
Voting is now open!
Members, make your selections in the annual (ISC)² Board of Directors election. Vote Now! Voting is open until Sept. 22.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
bradynathan
Viewer

Re: Why don't people engage with security professionals early enough? Are we too stealthy?

In financial services it is not possible to engage the security until there are deliverables for them to evaluate. The software has to be ready for testing before the review process can begin and they typically do not dedicate resources to projects. Questionnaires get submitted to a general pool of security analyst that review and make follow up requests. The developer responses then go back into the queue and a different security analyst could pick it up. This back and forth usually goes on for months and sometimes there are conflicting opinions from the security analysts that can result in rolling back.
Steve-Wilme
Advocate I

Re: Why don't people engage with security professionals early enough? Are we too stealthy?

 
 Your organisation appears to have some problems.  The quality control gate at the end approach just doesn't work for the reasons you outline.
 
 
-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
bradynathan
Viewer

Re: Why don't people engage with security professionals early enough? Are we too stealthy?

Not my company. This is the typical approach in the larger financial
services companies. The security teams are very stealthy about their
policies and many are based on ideas around how technology was implemented
20 years ago.