Information Security A Practical Guide: Bridging the gap between IT and management (2015)
When I started my career in information security many years ago the thing that struck me most was the lack of engagement with people who weren’t of the information security profession. IT in other departments would shy away from speaking to me as they feared security would stick its nose in and either stop their work or make things more difficult. The business viewed it as a dark art and as long as their security guy said it was okay then that was fine. Most people regarded security as a blocker rather than an enabler. I resolved to change that; I wanted people to see security as an enabler: something that can help you do more business and to create more services. An analogy I like to use when describing security is that of a car: would you get into a car that had no brakes? The answer is no, and so security is like the brakes on your car: you need them to drive. Some people counter that brakes stop you going forwards, to which my response is: do you drive around with your foot on the brake pedal? No, you have brakes to slow you down when you come to a junction, traffic lights or some other hazard. You use them as a control so that you can slow down and assess the situation before proceeding safely. Every driver can see the value in brakes, and this is exactly the viewpoint I want to build for information security. In the information age where everything is connected to the Internet, information security is as important as the brakes on your car: if you don’t have it, you’re going to have a nasty accident at some point.
I set about creating and building techniques so that I could better work with my peers, increasing their understanding of security. Helping a business understand the risks means it can make more informed decisions and encourage it to grow.
The chapters in this book have been used by myself over a number of years as tools so that I could help my employers build safer systems. Each chapter shares one common focus and that is communication; nothing in this book has been suggested without giving you real value and helping you to better collaborate with your team. I have come across many long-winded documents or overly technical diagrams that are created and then simply filed away to tick a box for some compliance. Each of the things you create from following this book are meant for re-use; they are meant to be changed as the system changes and the risks change. Each chapter is written with examples; the idea is that you read the chapter, understand the technique and then implement it referring to my example if necessary. The book is written in order of how you would follow the techniques described, and each chapter builds upon the previous chapter. The techniques described can be adapted and changed – in fact I encourage it – as I have applied these on many Agile projects and adapted them each time to suit the people I worked with, so you should do the same.
I would like to offer one key piece of advice that is more important than anything else. Make sure you take the time to educate your team on security in a way that they will understand. Make sure you regularly take the time to understand their security concerns and always give them a response ensuring they understand the reasons for your decision. Having your team buy into security and making it part of their day to day work is one of the most valuable information security cultures you can foster; your people will truly become an information security strength.