Information Security as the Status Quo

Thursday, October 21, 2010

Robb Reck

Information Security as the Status Quo

How do you view information security in your organization:

  • A department that is always on your case to improve your systems?
  • A compliance team who hands you a list of requirements you have to meet?
  • An essential part of the quality of the work you create on a daily basis?

Effective information security is not a program that’s forced upon system administrators, developers and DBAs by an external department.

Effective security is created, implemented and maintained by the technical folks who create and manage the systems and applications themselves.

In order to achieve a secure environment we need to move beyond the outdated model that goes something like this...

  1. System is created to meet functional requirements with no consideration given to security
  2. System is evaluated by InfoSec as a step before going live or while in production
  3. InfoSec reports their findings and requests that system owners remediate
  4. Systems owners have to balance these new security concerns against deadlines and resource constraints
  5. Security may or may not be fixed, depending on who wins the argument

This model has the dual honor of being both widely adopted in all types of industries, and wildly inefficient and wasteful.

It requires multiple revisions to the system and fosters an “us versus them” mentality.

A better model of system design looks more like this…

  1. Provide training and guidance to systems creators.
  2. Systems are created with both functional and security requirements in mind.

By moving our security discussions from later in the process to earlier, we enable our technical folks to do stuff right the first time.

This allows for appropriate project scoping, scheduling and expectations for everyone.

Nobody likes to be told they did a job wrong, but that’s what so much of our current information security model is built on.

Success is achieved when security becomes the norm. Until creating secure systems is the expected behavior, we will continually fight a losing battle against our technologists.

The key is getting them to accept security as the status quo, and the key to that is in getting their bosses to buy-in to the mission of information security.

Getting management’s buy in is essential to making an organization-wide change to information security’s role.

Until the managers, directors and senior leadership begin to see security as essential to the success of their products, we will forever go on battling to get security countermeasures thrown in after the fact.

The primary directive of information security practitioners in that type of environment is to evangelize security as far up the food chain as possible.

For more read Robert Lemos’s article “Turn Workers into Security Partners.”

Possibly Related Articles:
Security Awareness
Post Rating I Like this!
Javvad Malik Good post. I agree, security can only be truly effective when its an integral part of the entire process, like quality control on a production line.

Unfortunately in many large organisations, the politics and "silo builders" will always resist as it keeps them in a position of power.
Robb Reck Javvad,

I like to think that "always" isn't a foregone conclusion. When a few organizations start seeing the efficiency increases they get from integrating security through their entire process, the market should begin self correcting. Those companies which cling to doing their work over and over again will have higher costs, longer delivery times, and poorer quality products.

But this may take longer than we want to wait.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.