ai
general
February 18, 2015· 2 min read

Security is Not A Special Snowflake

Explore how to integrate security seamlessly into technology processes, transforming it from a policing role to a collaborative partner, ensuring robust systems without hindering innovation.

If you haven’t read Gunnar Peterson’s latest post, “The year the security dog caught the car,” go read that first.

Gunnar describes the stereotypical information security organziation quite well:

There was, until recently, a common passive-aggressive game called “My VP beats your VP” where security and developers and ops would meet on a project. The security team presents requirements, dev and ops nod. But there was not much intent to follow through, then when deadlines could not be met or pen tests fail hard decisions to be made. The rank and file security, dev and ops people all escalate to their respective VPs, inevitably the dev and ops VPs crush the security VP, project goes live and rinse, repeat.

Gunnar goes on to say that with the string of security breaches as of late (Target, Sony and now Anthem), the Security VP is winning more often than not. Security has become a special snowflake that can pop up and make demands upon the rest of the technology organization.

That has to stop. Security is not — or should not be — a special snowflake. In fact, what Gunnar describes above is the non-collaboration of the key pillars of technology. The only thing changing is a change in power allowing security to win more often.

I’m a big proponent of the building security in methodology. Do it right the first time. That’s hard to accomplish when the Security VP is fighting with the Development VP. As a technology organization — as applications and networks are built — security should be integrated into the process just like availability and functionality are today.

Where To Go From Here

As a security industry, we need to change our methodology. No longer should security be policing the organization, but a collaborator and builder with a seat at the business and technology tables. We should not say no, but how can we get to yes? We should be helping our application and infrastructure teams do it right the first time. We should be working with the business to help them make smart security decisions.

We should focus on the people and process more than the technology. We need to prioritize security education. Education of everyone who touches our systems.

For many companies, what they are doing today will not be sustainable into the future.

Stay Ahead of Disruption
Join professionals navigating blockchain and AI transformation. Get weekly insights delivered to your inbox.

More Ai Posts

December 09, 2015

Season 1: Masterclass

Dive into the Season 1 Masterclass podcast episode, featuring highlights and diverse perspectives from the past 12 weeks...

December 02, 2015

ISO 27017: A New Standard to Learn

Explore ISO 27017, a cloud-specific security standard that Amazon Web Services recently adopted. Learn how it complement...

September 12, 2014

Security Longreads — Issue #16

Dive into Security Longreads Issue #16, featuring in-depth analyses of recent security breaches, social engineering thre...