“Come Talk to Me First”
Posted July 16th, 2007 by rybolov“…so that I can tell you which security things you do not have to do.”
There are so many rules that security people deal with on a daily basis, the best part about taking a risk-based approach to security is that you know where you can ignore/cheat/circumvent/write “N/A” on it. That’s why I like the engineers to let me know when they’re starting a big project.
If you’re stuck at denying projects at the last point possible–at the point of implementation–then you’re way too late. Security involvement in projects should be before they even get funded (ie, during feasibility studies and requirements definition) so that we can get in our abbreviated list of needs and requirements.
Just like salmon, good security managers know how to “swim upstream to spawn”.
Similar Posts:
Posted in Risk Management, The Guerilla CISO | 3 Comments »
July 16th, 2007 at 1:48 pm
Funny, but I find myself doing this (“…you don’t need to do that.”) on a regular basis, and I was wondering whether I’ve mellowed in my old age.
OTOH, I managed to get “up on the governor” last Thursday, someething I haven’t done in a while.
July 16th, 2007 at 4:27 pm
Hey, I find myself wondering the exact same thing from time to time. Then I go down and do a data center walkthrough and rip people up.
Have to work to keep everybody fearing you, otherwise it’s nothing but work, work, work to regain it. I learned that from the Dread Pirate Roberts.
July 16th, 2007 at 8:17 pm
Yup, you two have mellowed with age.
It’s not “you don’t need to do that”, it’s “you really shouldn’t ask for this [risk assessment], because you’ll get answers you don’t like. What you should’ve done – because you have these de facto standards in place – you should stick to them.”
And then watch the different security functions argue it out who decides, who implements, who recommends, and who has the veto power.
In the mean time, you’re free to draft a governance plan, have ample evidence that one is badly needed, and that you’re the only one with the know-how and good relationship with everyone to actually implement it.
Why are you giving me that look now?