 |
| Image from Unsplash |
Many of my colleagues are named Erik, and one of them came to me with something he thought might make a good blog topic. People sometimes assume I can turn anything into a story. Occasionally such ideas remain untouched, but Erik’s remark kept nagging at me.
"If you suddenly feel urgency now, then you didn’t choose the right
priority back then," said Erik. That’s a fairly universal statement, not
one limited to information security or IT. It applies to your private life too,
for example in the Christmas season: if you’re ordering a Christmas gift today
and discover it won’t arrive in time, then perhaps you should have left the
vacuuming for later last week. The dust would still be there a day later, but
that order was time-critical. Of course, there can be complicating factors;
maybe you didn’t have the money for a gift last week. Or an important guest was
coming and a clean house was a must.
In the past, we security folks often lamented that security only came into view
at the very end of a project – if anyone thought of it at all. For years we
argued that security should be included from the start. If you want a catchy
term: we call this shift left – moving attention to the front of the timeline.
Long ago (in the late nineties) we had a great mechanism for this: the ‘aspect
meeting’. When a new project started, the project manager had to gather
representatives of various aspects and explain what the project was about.
Participants could then provide feedback and, most importantly, ensure their
aspect got proper attention. For example, by supplying policy documents and
explaining how they should be applied in the project. This way, as an aspect
representative, you could make sure your interests were considered. That
meeting format was one of the best I’ve ever known.
Has much changed since then? Yes and no. There are now far more IT
professionals who understand the importance of information security. A lot
more. On the other hand, shift left still hasn’t happened everywhere. My
colleagues in the Security by Design program are working hard to make it
happen. They do this by teaching teams how to do it. Because here too, the old
wisdom applies: it’s better to teach someone to fish than to give them a fish –
at least if survival is the goal. Furthermore, procurement processes have taken
a good turn. As I wrote a few weeks ago, we have a ready-made set of security
requirements prepared and, just as importantly, the buyers are aware of the Security
Functionals Directive.
It’s not just Erik – there are plenty of Edwins, too. Yesterday I spoke to one,
and the conversation was quite interesting. This Edwin had requested an
exemption from a certain rule. Because I didn’t understand something in the
motivation, I called him. Besides explaining the situation, he shared his view
on exemptions. In his opinion, they’re granted far too easily. Teams should
make more effort to stay within the lines, Edwin thought. I wholeheartedly
agree, and that’s why we always scrutinize deviations carefully. However, we
also deal with a multitude of systems and platforms, from cutting-edge to
legacy. And especially in that latter category, we sometimes hear: what you
want simply isn’t possible for us.
Sometimes that’s too easy. What they really mean is: we assume it won’t work.
But if you bring together people from different disciplines, something
beautiful can happen. Like: "Oh, but if you can set it up that way for us,
then we can do this and that on our side, and then it fits within policy!"
We try to help people take that extra step. But feel free to beat us to it. For
example, by not just assuming something can’t be done.
Back to Erik. He teaches us that good planning prevents later trouble. Because
when something becomes urgent, you often depend on others, who may think: poor
planning on your part does not constitute an emergency on ours. Or it simply
doesn’t fit into their own workload to help you out immediately.
Avoid urgency, plan well. Order that gift now.
And in the big bad world…
- Email security in iCloud should be better.
- You can sign up with this American telecom provider using nothing but your ZIP code.
- The German government conducted extensive research on password managers. [GERMAN]
- Here’s a Dutch summary of that research. [DUTCH]
- One of those password managers received a hefty fine.
- AI can also be used to spread malware.
- There’s ransomware for Android devices too.
- The new Christmas puzzle from the Dutch intelligence service is online. [DUTCH]
- There’s political unrest over the Dutch tax administration’s move to Microsoft 365. [DUTCH]
No comments:
Post a Comment