KNOW before NO
A good friend told me that an engaged information security professional is one who leads with the KNOW instead of the NO. This comment struck me and has resonated well for the last several years. It has encouraged me to better understand the desires of the business areas in an attempt to avoid the perception of being the "no police”.
We are each able to recognize the value in sprinkling in the information security concepts early and often into software development projects. This approach saves each of the stakeholders a great deal of time and frustration. Especially when compared to the very opposite approach that often causes the information security team to learn at the very last minute of a new high profile project that is about to launch without the proper level of information security engagement.
There are certainly projects and initiatives that may very well still warrant a “no” from an information security perspective. Before we go there by default, I respectfully invite us all to KNOW before we NO. I truly believe that each of us can all improve the level of engagement with our respective business areas by considering this approach. In what areas can you KNOW before you NO next week?
Please leave what works in our comments section below.
Russell Eubanks
Security Culture for Leaders | Amsterdam | Oct 7th - Oct 11th 2024 |
Comments
Anonymous
Apr 29th 2017
7 years ago
Thanks for sharing and supporting the SANS Internet Storm Center!
Russell
Anonymous
Apr 29th 2017
7 years ago
The problem is not that security-mature security professionals say no, the problem is that security-immature managers ask the wrong questions, don't want to consider risks and want security professionals to take full responsibility.
Like, for example:
- We want to move our HRM and financial administration to cloud company X, is that secure enough? Please answer right away because we want to decide today.
- I just bought portable device X and want to access our file and mail server from that device. I presume that's okay with you?
- We want to save some expenses and run both DMZ servers and internal servers on the same virtualization platform which should be secure enough.
- Our IP-based security camera's and intercom (all mounted outside the building) are securely separated from the rest of the network by using VLANs.
- We want to cooperate with third party Z. They say they have ISO 9001 and ISO 27001 certificates. Okay?
- A photo of a chip (instead of a real chip) on personnel access cards for the US senate suffices, right?
Etc. etc.
Anonymous
Apr 30th 2017
7 years ago