This article can also be found in the Premium Editorial Download "Information Security magazine: Security 7 Award winners sound off on key information security issues."
Download it now to read this article plus other related content.
security for the masses
A lot of this is the fault of security professionals. Far too many of us see security as an end unto itself. Many don't realize that simply finding a policy violation does not equal success. It's no wonder those outside of security often treat security as some weird realm to be entered at your peril. This attitude places an upper limit on meeting security requirements, because security activities are generally viewed somewhere between necessary evil and unnatural act. The security team walks into meetings with the de facto goal of serving as a random requirements generator lobbing overhead onto the project, rather than consciously moving the business forward by solving problems using a specialist's toolkit.
Some people, when given a hammer, would rather hit someone with it instead of using it to build a house.
In our corner of the enterprise world, the security team is composed of Security Conscious Problem Solvers (credit my enterprise security architects Bryan McDowell and Barbara Vibbert for this phrase). We're here to solve business problems, and recognize that when your eye is on the ball of customer satisfaction, revenue, scalability, connectivity, etc., you
| can miss out on the
need to cover security requirements as well. Security work needs to promote business needs, not
just implement some set of rules that looked good in the abstract when someone wrote them down. The
intent of the rules needs to be understood. The rules need to be clear and repeatable as much as
The security team always needs to be open to the possibility that the rules are wrong and need to be changed. That's harder than saying "No" formulaically, but it's sustainable in the long run.
This was first published in October 2008