Gunnar Peterson prompted us yesterday in Dark Reading with this provocative question:
Does your company actually need a security department? If you are doing CYA instead of CIA, the answer is probably no
It’s easy to agree with Gunnar when you read his analysis. He offers a false dichotomy fallacy.
Standing up a choice between only awful pointless policy wonks in management and brilliant diamonds found in engineering, it’s easy to make the choice he wants you to make. Choose diamonds, duh.
However, he does not explain why we should see security management as any more of a bureaucratic roadblock than any/all management, including the CEO. Review has value. Strategy has value. Sometimes.
The issue he really raises is one of business management. Reviewers have to listen to staff and work together with builders to make themselves (and therefore overall product/output) valuable. This is not a simple, let alone binary decision, and Gunnar doesn’t explain how to get the best of both worlds.
A similar line of thinking can be found by looking across all lines of management. I found recent discussion of the JAL recovery for example, addressing such issues, very insightful.
Note the title of the BBC article “Beer with boss Kazuo Inamori helps Japan Airlines revival”
My simple philosophy is to make all the staff happy….not to make shareholders happy
Imagine grabbing a six-pack of beer, sitting down with engineering and talking about security strategy, performing a review together to make engineers happy. That probably would solve Gunnar’s concerns, right? Mix diamonds with beer and imagine the possbilities…
Inamori had interesting things to say about management’s hand in the financial crisis and risk failures in 2009, before he started the turnaround of JAL
Top executives should manage their companies by earning reasonable profits through modesty, not arrogance, and taking care of employees, customers, business partners and all other stakeholders with a caring heart. I think it’s time for corporate CEOs of the capitalist society to be seriously questioned on whether they have these necessary qualities of leadership.
Gunnar says hold infosec managers accountable. Inamori says hold all managers accountable.
Only a few years later JAL under the lead of Inamori surged ahead in profit and is now close to leading the airline industry. What did Inamori build? He reviewed, nay audited, everything in order to help others build a better company.
An interesting tangent to this issue is a shift in IT management practices precipitated by cloud. Infrastructure as a Service (IaaS) options will force some to question whether they really need administrators within their IT department. Software as a Service (SaaS) may make some ask the same of developers. Once administrators and developers are gone, where is security?
Those who choose a public cloud model, and transition away from in-house resources, now also face a question of whether they should pursue a similar option for their security department. Technical staff often wear multiple hats but that option diminishes as cloud grows in influence.
In fact, once admin and dev technical staff are augmented or supplanted by cloud, the need for a security department to manage trust may be more necessary than ever. This is how the discrete need for a security department could in fact increase where none was perceived before — security as a service is becoming an interesting new development in cloud.
Bottom line: if you care about trust, whether you use shared staff or dedicated services, dedicated staff or shared services, you most likely need security. At the same time I agree with Gunnar that bad management is bad, so perhaps a simple solution is to build the budget to allow for a “beer” method of good security management.
I recommend an Audit Ale
This style had all but disappeared by the 1970s, but originated in the 1400s to be consumed when grades were handed out at Oxford and Cambridge universities…. At 8 percent ABV, it has helped celebrate many a good “audit” or soften the blow of a bad one.
You raise good points. All companies need security. What I am trying to get at is- how best to deliver it? I do not think the present situation is working all that well and could be better. This is due, in my view to infosec being dominated by breakers and auditors, when instead what it needs is builders.
Today the breakers find something and the auditors record the policy exception. Nothing gets built and not much changes. That’s why the OWASP Top Ten never changes. Perhaps delivering security out of teams more accustomed to building and deploying in the real world is a more effective way to do this and we can work on new problems instead of solving problems from decades ago.