Core Belief #1 — Security is not Different

Posted April 9th, 2007 by

Security is not Different

Basic fact:  If you give an engineer a set of requirements, they will build to them, whether they are functional requirements or security requirements.

Basic fact:  Businesses use metrics to determine the effectiveness of anything that they do and to assist in making cost/benefit/risk comparisons.  Channeling Jacquith for a moment here, why should security be any different?

Basic fact:  What is the dividing line between quality IT management and quality IT security management?  There is so much crossover that, from what I hear, ISACA tells you you can let QA people serve in some security roles.

Basic fact:  Good project managers do risk management for their project.  Security just adds a different set of considerations.

Basic fact: It all comes down to economics and personnel management, just like  construction, running a restaurant, or engineering a 3-tier major application.

Basic fact:  As an information security manager, I spend 80% of my time doing one of two things–either personnel management or basic project management.

And yet, why do I have people telling me constantly “I can’t do that, I don’t know security”???  One of my core beliefs is that security is not different from anything else, and that as long as we as security practitioners keep some kind of mystique about what we do, it will continue to be a “black art” that nobody else thinks they can do.

Similar Posts:

Posted in Odds-n-Sods, Rants | 1 Comment »

One Response

  1.  The Guerilla CISO » Blog Archive » Standard Maturity Says:

    […] enough, this cycle applies to just about any technology or standard, underlining my core belief that security is no different.  My thought for today is this:  if life imitates art, and security imitates life, then does […]

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: