Its December and so its the season for lists. Here is my list of Top 5 Security Influencers, this is the list with the people who have the biggest (good and/or bad) influence on your company and user's security:
- The Person Coding Your App
- Your DBA
- Your Testers
- Your Ops team
- You
Except for perhaps the last one, what do these all have in common? None of them are in the Security Department!
We shouldn't look at security as a one off, an isolated department of "specialists", but rather leave the ivory tower and look for tools, processes, and training that help the people on this list do their jobs better. Making it faster, better, cheaper and easier to consume and integrate security services into their daily work is the biggest security influencer of all.
Is it a coincidence or is the architect missing? A good architecture has a significant positive influence on security (and with a decent implementation governance), a bad or missing one has a significant negative influence on security.
Posted by: Bavo De Ridder | December 08, 2011 at 01:48 AM
@Bavo - no doubt
Posted by: gunnar | December 08, 2011 at 11:57 AM
What about the network guys (DNS, f/w, etc. )? Do they fall under ops because they play a huge role.
Posted by: Travis Spencer | December 18, 2011 at 06:32 AM
Here are the Influencers from my vantage point (architect technically responsible for a project)
1- The guy who really owns the risk (business guy)
2- The guy who knows he doesn't own the risk but pretends he does (infoSec guy)
3- Me and my guys (software eng., DBAs, build, release guys, basically whoever builds software ...)
4- Ops and network guys
5- The hacker/fraudster community
But I agree with the conclusion: Security is more important to be left to security guys ....
Posted by: Farhang | December 19, 2011 at 01:21 AM
Absolutely concur on the "integrated" part. It is my goal to have everyone in the company thinking about security as just an attribute of what they do. Makes it much easier to have an effective security program when everyone on the team is an active part in making it happen.
Posted by: Sec_prof | December 19, 2011 at 04:23 PM