Outside contributor to the blog shares his views from the field
A security professional working for a large end user organization contributes occasionally to SecurityDreamer under the pseudonym of "Padded Arrow." Here are his latest thoughts from a Fortune 500 corporate security department:
You may have noticed that over the last couple years, Security is changing phases in the never-ending cycle. With the current financial climate, cost is once again the biggest project risk. If Security departments are to survive, they will need to move from an add-on risk function to an integral part of the organization. They will need to move from saying "no" to saying "how can we do this securely."
First, let's agree on two things; bolt-on security and security by obscurity don't work. They cost more and in the end, don't increase security.
Collaboration, collaboration, collaboration
As much as we all want to be special, unique and different, that is a negative when it comes to corporate solutions. Look for opportunities to collaborate with other business units in your company to save money. I know this is difficult for most of the "I'll tell you but then I have to kill you" security types but why would you implement a million dollar security platform for monitoring when there may already be a solution available. Many IT management platforms include functionality that can be leveraged by Security; reporting, logging, monitoring, alerting. Collaborate during product selection and you may get the functionality you need without any additional cost.
Show costs accurately and realistically
Most business managers have grown immune to the claims of loss that Security has been spouting for years. "If we don't put this system in, we will be overrun with hackers and that will cost millions if not the company." Put real numbers to a real problem and then propose a solution that costs less than the potential loss. You wouldn't spend more than something is worth to protect it.
Learn how to say "yes”
…or better yet, "Here is how you design this solution securely." Granted, 100% Security is 0% functionality however
100% functionality doesn't necessarily mean 0% Security. The earlier
Security is involved in the development and requirements process, the easier it is to make sure the organization is protected.
– Padded Arrow