Pragmatic Cybersecurity unpublished

Pragmatic Cybersecurity unpublished

Opinions expressed on this blog reflect the writer’s views and not the position of the Capgemini Group

Security does not have to be the fall-guy

Category : Security Strategy

For many years, security has had a reputation for acting as a brake on the business.  This is typically because of a perception that security functions are only there to say “no”.  I’d argue that this is not always the fault of those responsible for security.   Now, I’m not saying that there are no intransigent, belligerent or draconian security types out there (I’ve heard there are plenty outside of our own little group ;-)) however I do believe that project and programme managers sometimes take advantage of the bad reputation built up by “security”.     What do I mean by this?   Well, I’ve seen many programmes and projects over the years that have been set overly ambitious targets and which, at some point, realise that they are on the verge of failing.  At this point some bright spark will note that “security” have yet to be engaged on the project.   Upon late engagement, the security expert will then point out all of the standard security requirements that have not been incorporated and will immediately be painted as an impediment to delivery and the prime reason why the (already failing) project can no longer deliver the requirements of the business.   Security can be a great fall guy.

What can we do about this? From the security perspective, we need to make sure that we are engaged as early as possible on new programmes and projects. The best way to do this is to build up direct relationships with the business. This then enables security requirements to feed into the very beginnings of delivery. A tight working relationship between security and the business is also critical to success in any Agile development - security elements must be embedded within the user stories rather than tacked on post software delivery. From the project and programme management perspective, you need to engage often and early with the security experts – whilst you may lose a convenient fall guy, you will increase the likelihood of successful outcomes overall. Let’s work together to improve the unfortunate reputation of “security”; we’re here to help not hinder!

About the author

Ian Cole
Ian Cole
Ian has been employed with Capgemini since 2006 and during this period has been assigned on a number of public and private sector projects within the various market sectors. Ian’s security interests are in information assurance/protective security; he also has a penchant for deciphering security speak to simple English targeted at a CxO level. Ian is a Security Cleared consultant with over 15 years experience in information security. He has an MSc in IT Security and is a member of CESG’s Listed Advisor Scheme (CLAS), an Associate Member of Institute of Information Security Professionals (IISP), a Certified Information Systems Security Professional (CISSP), a Certified Information Systems Auditor (CISA) and an ISO27001 Lead Auditor.
2 Comments Leave a comment
Throughout human evolution security has always been a neccesity in everyday life. The way that security has been integrated into the information technology age has been wide across all aspects due to the complicated nature of information systems. Through the eyes of many clients it is often seen as the area that allows access through AAA (Authentication, Authorization, Accounting) and not seen as the blocker, more often the blocker is seen as default. I accept that some clients may see security as a hindrance but more often than not the hindrance stems from bureaucracy. The fall guy reputation in information technology can be seen in any area of modern enterprises, I'm sure Colt Seavers would agree.
lnewcomb's picture
Hi Roger, It seems you've had the pleasure of working with some very security-friendly clients :-). There's an interesting write-up of a keynote given at a recent CSA event here whereby the speaker puts forward a similar opinion to my original post, albeit from the perspective that sometimes the security types really are the problem and not just a fall-guy:

Leave a comment

Your email address will not be published. Required fields are marked *.