Security is not Different

Basic fact:  If you give an engineer a set of requirements, they will build to them, whether they are functional requirements or security requirements.

Basic fact:  Businesses use metrics to determine the effectiveness of anything that they do and to assist in making cost/benefit/risk comparisons.  Channeling Jacquith for a moment here, why should security be any different?

Basic fact:  What is the dividing line between quality IT management and quality IT security management?  There is so much crossover that, from what I hear, ISACA tells you you can let QA people serve in some security roles.

Basic fact:  Good project managers do risk management for their project.  Security just adds a different set of considerations.

Basic fact: It all comes down to economics and personnel management, just like  construction, running a restaurant, or engineering a 3-tier major application.

Basic fact:  As an information security manager, I spend 80% of my time doing one of two things–either personnel management or basic project management.

And yet, why do I have people telling me constantly “I can’t do that, I don’t know security”???  One of my core beliefs is that security is not different from anything else, and that as long as we as security practitioners keep some kind of mystique about what we do, it will continue to be a “black art” that nobody else thinks they can do.

• Do You “Do It” or Do You “Get It”?
• Core Belief #4 — Compliance is a Dead-End
• Mike’s Guide to Information Security Policy
• Observations on PCI-DSS and Circular Arguments
• Core Belief #2 — Risk Management Uber Alles