Thursday, October 1, 2009

Good to Great

I read a post on 'Infamous Agenda' recently and it really got me thinking... security practitioners often so caught up on putting out spotfires that we never seem to get a chance to refine our internal processes and practises.

If you're engaged on multiple projects, your requirements should be well understood, documented and easily repeatable. If there is common functionality that keeps appearing on your applications then you should have design patterns available for guidance. Classification of information assets should be defined prior the asset being built, and so on. Common sense security stuff that's a no brainer in theory but often harder to get in place in practise.

How many places can _honestly_ say that their ship runs like this - regular as clockwork?

As I am about to leave my current role and move onto greener pastures, I have spent a lot of time reflecting. I've reflected on my career highlights and contributions - my big wins. I've also spent a lot of time thinking about what I could have done differently. What mistakes did I make? How would I approach the same problem again?

They say a wise man learns from not just his mistakes but the mistakes of others. I like to think that I am my own worst critic (at least I hope so!).

Lately I've been thinking about idealism in security (as opposed to the pragmatic posts of yesterday). If we are too pragmatic we risk becoming cynical. We start to slip and lose our edge. You run the risk of not keeping focus on the items that really matter and you're no longer the gatekeeper but a rubber stamp for the business. Our idealism is what inspires us to lead and to create, it ensures we are passionate about our jobs as protectors and advisors. Lose that and what value to we add?

The difference between a good security practitioner and a great one is one that contributes some of their time each week to enhancement.
Some ideas:
  • Creating design patterns and security architecture.
  • Defining meaningful security metrics for reporting.
  • Clarifying how business units formally engage Security.
  • Embedding security into application development and testing processes.
  • Security training for architects and developers as well as general staff.
I'm not talking about the stuff that's compliance driven either. Just the stuff that we should do a little each day to make the business run a little better. The Japanese have a word "kaizen" which embodies this principle.

It's not all about chalking up quick wins on the board like pleasing business owners, but the consistency. When you build value into the business, one day at a time, and you get to see the fruits of your labour grow over time - that's where security really demonstrates its value and that is the sense of accomplishment I have always found in my work in security.

Good security is more than just plugging holes. It's about building in the right processes into an organisation than enable them to respond to evolving security threats so that even if there are gaps that the business can respond with a degree of speed and agility. Likewise, developing a better security program means devoting time to building those processes even when you think you can't. More importantly, being a better security practitioner means devoting time to ourselves to review past failures and triumphs and learning from them (ontop of the usual insane amount of additional study we do).

In hindsight, I see a lot of things I wish I handled differently. But when I see that a single communications piece not being able to go through Marketing without a review by the Fraud teams to ensure the company message maintains a consistent approach, when Usability teams working alongside Security to ensure key functionality works as intended but doesn't pose a security risk, or even if it is something as intangible as an increased level of security awareness by multiple business units where senior management are asking security-related questions even when I'm not there, I feel like I've left my mark on an organisation and left it a little better than when I started.

- J.

No comments: