Securing and Creating Chaos

Information Security and Software Engineers
July 8, 2013


As a security professional I am frequently asked “Which piece of the enterprise do you secure first?” As a developer, I am asked on a new platform “Which software do you port first?” These questions are both sides of the same coin.


In Information Security, coming into a startup whose focus is being fast, energetic and agile they look at me like alcoholics at an intervention. Like I am trying to take away their fix, their juice, their addiction. But in reality, I am trying to give them more. I just want to make sure they are drinking what they really like, so the beer drinkers get more beer, and the whiskey drinkers get more single malt. That metaphor holds.


My answer to the security question, which piece do you secure first, is also a question, “Which strand of spaghetti do you eat first when served a bowl?” Exactly, the easiest piece to come out. You look at the bowl, stick your utensil in, twist and pull. then things seem to line up, and slowly the chaos is clean.


Perhaps with Information Security there are some of the usual suspects, Identity Management, Role Assignments, Intrusion Detection, Intrusion Response, Services Protection, Information Loss Prevention to name a few. And  I find that organizations are stronger or weaker in some of these areas. Which to address first? Find which piece can be done the fastest, cheapest  and has the best return on investment. An old qualitative rule of thumb that I distill and discuss with co-workers, from engineers to the C-Levels.


As a developer on a new platform, I liken that to a new whiteboard waiting to be defaced. But the tools are easy, first an editor, to build a compiler and then I can write whatever software is needed, like a better editor. I imagine the process is like an architect, some just dump in the same foundations and build the same box in a different spot or others are artistic and the buildings seem to float.


So, with development the problem that needs to be solved is the opposite of security. With security you try to remove pieces without breaking the whole, with development you build a foundation and then the following levels, until you have a finished product.


But I find that rarely do I work on a new platform, instead I am thrust in the middle of a digital urban landscape, with various routes from where I am, to where my project needs to be. And I have to decide how to exist within the past digital environment, that others have left. Some developers don’t know how, or do not wish to learn, so they demolish and just build where they landed, and expect the corporate enterprise to come to them, others are immersed in the legacy systems and never try to build something new. But I envision the system as a whole, see the connections and move my project so I can take advantage of what exists while extending and making something more. This is how my development and security experience intertwine.

wdnii.
© 2013 Norris Proprietaries Incorporated.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.