Wednesday, January 07, 2009
Blissful ignorance is the mantra of many enterprise architects...
Blissful ignorance is the mantra of many enterprise architects when it comes to understanding application security. Sadly, it is also the mantra of many security professionals...
I think many choose to remain ignorant when it comes to understanding or implementing application security...and there could be various reasons, e.g, implementation deadlines, limited budget, "we will see it later" and "since its an expensive application, security will be taken care of automatically" !
So, there is a general inclination towards going for detective or manual controls (e.g., reconciliations, report reviews etc) rather then exploring the opportunity of setting up preventive or automated security & controls within and around the enterprise applications. Of course this requires actually putting pressure on them to deliver secure software and not just be amused with their chock-a-block eye candy roadmaps...
One needs to ensure that risks surrounding the key processes are well understood and relevant security & controls are implemented to mitigate those risks. Information generated out of secure and controlled enterprise applications can be relied upon by relevant stakeholders thereby bringing in efficiency and effectiveness. Needless to mention, these efforts should be supported by top management. I wonder if Esther Schindler, editor over at CIO.COM is doing her part in helping IT executives by incorporating likes of traffic driving thirty-second sound bite snippets from other industry throught leaders but avoiding articles that lack substance and encourage them to stay blissfully ignorant...
NOTE: Thoughts presented here are a mashup between a conversation I had with Gunnar Peterson and Brenda Michelson...
| | View blog reactionsI think many choose to remain ignorant when it comes to understanding or implementing application security...and there could be various reasons, e.g, implementation deadlines, limited budget, "we will see it later" and "since its an expensive application, security will be taken care of automatically" !
So, there is a general inclination towards going for detective or manual controls (e.g., reconciliations, report reviews etc) rather then exploring the opportunity of setting up preventive or automated security & controls within and around the enterprise applications. Of course this requires actually putting pressure on them to deliver secure software and not just be amused with their chock-a-block eye candy roadmaps...
- (NOTE: the right thing may not make you popular in the blogosphere)
One needs to ensure that risks surrounding the key processes are well understood and relevant security & controls are implemented to mitigate those risks. Information generated out of secure and controlled enterprise applications can be relied upon by relevant stakeholders thereby bringing in efficiency and effectiveness. Needless to mention, these efforts should be supported by top management. I wonder if Esther Schindler, editor over at CIO.COM is doing her part in helping IT executives by incorporating likes of traffic driving thirty-second sound bite snippets from other industry throught leaders but avoiding articles that lack substance and encourage them to stay blissfully ignorant...
NOTE: Thoughts presented here are a mashup between a conversation I had with Gunnar Peterson and Brenda Michelson...
