Sunday, September 07, 2008
Why do so many IT professionals bury their heads in the sand...
When it comes to understanding security, we hear lots of horror stories regarding security yet still do not act upon it. No wonder the business doesn't trust IT...
Maybe the reason most IT professionals bury their heads in the sand is that there is lots of uncertainty about what aspects of software need to be more secure and by how much. It is difficult to ascertain upfront in the software design process what resources interest hackers most. Many IT security professionals espouch that the best way to become secure is to think like a hacker but in all reality, most folks fail at understanding the perspective of others.
Another failing of IT is in aligning people to process where no one really has oversight of software as it goes from development to operations. You might have a solid architecture that takes care of security of the system you are building, but a bad implementation anywhere in the system could defeat the solid well-laid plan by the architecture.
Why we are talking about worst practices, maybe we should ask ourselves if we believe that addressing security earlier in the lifecycle is a lot cheaper, then why aren't we training business analysts on how to properly solicit security requirements? Can we acknowledge that security for a web tier is different from security requirement for database tier. It has to be dealt in a different way for client-server architecture. Every aspects of the system dictates different security requirements and failure to understand what is most important to secure is where IT is consistently CMMi level five repeatable...
| | View blog reactionsMaybe the reason most IT professionals bury their heads in the sand is that there is lots of uncertainty about what aspects of software need to be more secure and by how much. It is difficult to ascertain upfront in the software design process what resources interest hackers most. Many IT security professionals espouch that the best way to become secure is to think like a hacker but in all reality, most folks fail at understanding the perspective of others.
Another failing of IT is in aligning people to process where no one really has oversight of software as it goes from development to operations. You might have a solid architecture that takes care of security of the system you are building, but a bad implementation anywhere in the system could defeat the solid well-laid plan by the architecture.
Why we are talking about worst practices, maybe we should ask ourselves if we believe that addressing security earlier in the lifecycle is a lot cheaper, then why aren't we training business analysts on how to properly solicit security requirements? Can we acknowledge that security for a web tier is different from security requirement for database tier. It has to be dealt in a different way for client-server architecture. Every aspects of the system dictates different security requirements and failure to understand what is most important to secure is where IT is consistently CMMi level five repeatable...
