If you haven’t read Gunnar Peterson’s latest post, “The year the security dog caught the car,” go read that first.
Gunnar describes the stereotypical information security organziation quite well:
There was, until recently, a common passive-aggressive game called “My VP beats your VP” where security and developers and ops would meet on a project. The security team presents requirements, dev and ops nod. But there was not much intent to follow through, then when deadlines could not be met or pen tests fail hard decisions to be made. The rank and file security, dev and ops people all escalate to their respective VPs, inevitably the dev and ops VPs crush the security VP, project goes live and rinse, repeat.
Gunnar goes on to say that with the string of security breaches as of late (Target, Sony and now Anthem), the Security VP is winning more often than not. Security has become a special snowflake that can pop up and make demands upon the rest of the technology organization.
That has to stop. Security is not — or should not be — a special snowflake. In fact, what Gunnar describes above is the non-collaboration of the key pillars of technology. The only thing changing is a change in power allowing security to win more often.
I’m a big proponent of the building security in methodology. Do it right the first time. That’s hard to accomplish when the Security VP is fighting with the Development VP. As a technology organization — as applications and networks are built — security should be integrated into the process just like availability and functionality are today.
Where To Go From Here
As a security industry, we need to change our methodology. No longer should security be policing the organization, but a collaborator and builder with a seat at the business and technology tables. We should not say no, but how can we get to yes? We should be helping our application and infrastructure teams do it right the first time. We should be working with the business to help them make smart security decisions.
We should focus on the people and process more than the technology. We need to prioritize security education. Education of everyone who touches our systems.
For many companies, what they are doing today will not be sustainable into the future.