Wednesday, September 24, 2008
Holistic IT Security Thinking is non-existent in most enterprises...
It is vital to acknowledge that holistic thinking requires strong technical leadership, something that is lacking in most enterprises. Let's be honest, how many IT executives are technical? If Gunnar Peterson, Mark Curphey, Robert McIlree and others were to be honest, they would acknowledge that while building security upfront within enterprise architecture is cheaper, in all reality it would take true IT leadership (distinct from management) to recognize when it actually occured.
Consider the fact that many enterprise architects aren't even technical with many never having written a single line of code in their entire life. Do you think they combined with the plethora of non-technical process weenies (aka project managers) would recognize a high quality secure architecture from a less optimal one? Many within the enterprise make the mistake of simply thinking it is a matter of bringing on expertise at the right time and rationalize their thinking by pontificating that no one can know everything! Reality says that this approach is doomed from the start in that a project manager is rewarding by delivering anything of quality that will be accepted by business customers. Since security isn't visible to most business customers, security architects will never be permitted to do anything that Gunnar and Mark suggests.
Another viewpoint says security professionals are best positioned when security becomes visible. Usually this happens at the expense of the enterprise and the loss of their customers personally identifiable information. The HR reward systems are still based on heroics and not integrity or prevention. If I do a good architecture or bad architecture within my own job, how many of the folks that have the ability to express their two cents on my annual review could possibly recognize the quality or lack of, yet if something bad happens and I fly in to save the day, it is visible by all.
In terms of my own day job, I have a healthy balance of proactive and reactive, but I bet you can predict which one will make me more money...
Links to this post: