I am happy to see that my friends at Cigital have started a blog called Justice League focusing on software security and quality. Cigital is one security company that has always recognized that pinning your security hopes on a magic device or widget does nto make you secure, rather rolling up your sleeves and engineering your code and processes to build more secure code is where you should be focused. Now some of my favorite Cigitalites have a blog to share their ideas with the blogosphere.
Keeping up with the Jones’ Security Initiatives ... Over time my relationship with clients deepened, as did their maturity in software security. Their questions also deepened, getting more specific: “How far down the static analysis tool adoption path are my competitors?” I can’t see any way of answering questions this specific without giving away others’ competitive advantage, potentially exposing them to risk, or violating their trust (not to mention NDAs). Stuck wondering if I would be unable to provide further perspective, I began to question this perspective’s real value:
“Is the Jones family really the goal?” I asked myself. Actually, I’m pretty sure it isn’t. Each organization’s security efforts should grow very differently from one and other. They’ll start at different places, sure. Not only that, but even if you tackle the same problem as your competitor chooses to tackle, the ‘optimal’ approach for each organization differs. Why? Because each IT shop grew up to support their business differently. Metaphorically both you and the Joneses have children—but both sets of children have very different special needs.
Exactly! This is a huge problem. Why does security oeprate differently from the rest of the business? Would your sales & marketing team just do exactly what you competitors do? How do you differentiate your company the? Would you invest in a stock because your neighbor did?
This is a big issue and barrier to enterprise's improving their security. A lot of it is driven from the reality that digital security is generally looked at as infrastructure. What do you mainly do in infrastructure? Keep costs down, keep the lights on, find things that are commoditized, and yeah, do what everyone else does. But here is the thing - now that businesses are decentralized, heavily (hyper?) integrated security is not just about infrastructure - it is about how reliable and resilient do you want your business processes to be? And, yeah, how much do you want to spend to get those qualities? Hmmm...tough questions...Let's ask Ms. Jones what she thinks.
So to move from more of an infrastructure focus and towards innovation, customers and markets, a different approach to information security is required. Education is key, as Robert Garigue pointed out, infosec and CISOs need to look at Charlemagne as a model. You can't outsource your homework to the Jones' kids.
Also, check out Scott Matusmoto's discussion on Built in or Bolt on security.