Information Security as a Team (ISaaT)
Prelude
Obviously ISaaT is something I made up, so feel free to mock me / reuse as you see fit. :)
Introduction
Corporate information security is everyone's responsibility. You hear that said a lot, but does it actually mean anything? Arguably it's a pretty hollow statement. It's usually a soundbite, rolled out when bad things have happened or an auditor is about to rock up.
This is true.
In an earlier post, I talked about being the only bloke in the company that's paid to worry about information security (as in, my job description specifically details this) and at the time of writing this post, that's still the case.
That's not to say others in the business don't care about the subject, or aren't passionate about it in the same way I am. No, they simply aren't paid to hold those views, or drive that passion in the shape of improvement.
This post is aimed at recognising those people, the contributions they make and maybe encourage managers responsible for security in organisations to consider looking inwardly for people that care, have talent and passion and that can improve their security posture.
Here goes.
The background
As I've said previously, before I picked up the responsibility for web application security a couple of years ago, no specific roles existed that cared about the subject of information security at all. In the modern age of commerce, this isn't a great place to be, so when I was appointed it felt like a monumental step forward and I want to be clear about how positive that move was.
Technology
There are people that have links to information security dotted about the firm, so for example, Terry cares about our managed firewalls, ensuring that customers are secure from a hardware point of view. Terry also cares about wider security issues, but it isn't his job to do so.
Andy works in a team responsible for rooting out and dealing with copyright infringers, people using the services they buy from us to launch spam campaigns and stuff like that. He also looks at the security of our hosting products, such as cPanel, which run platforms like WordPress and the like. To this end he's very much involved in security, but he wants to do more. Because he cares.
He also gets involved (largely in his own time) with investigating serious security flaws in vendor equipment and shares any findings back into the business. Again, because he cares.
As most of you know that read this and other information security blogs online, where the people in the industry are being discussed, the most important quality is passion. Skills and knowledge can be obtained. Caring comes first. Anyway...
Paul currently covers off the security of our mail platforms and hosting solutions, as well as many other things. Again, he gives a shit about wider security issues, but again, it isn't his actual job.
Julian and Carl both seriously get information security and indeed have both been instrumental in my own development in the area. I'm very grateful for that. I wouldn't say they taught me all I know, but they certainly helped shape my understanding of web applications and supporting infrastructure and set me on the right course.
It's often hard to get software developers in a web application security mindset, because they're regularly pushed to deliver features, features and more features. This isn't great, because if the priority is delivery, then sometimes corners are cut, lowering the quality of the product. Security is an attribute of software quality, let's make no mistake about that.
Step forward Baidy
When a software developer comes along and says they're passionate about security, you seize the opportunity to go bananas, obviously in a controlled manner. Right now it's rare. Baidy came to me a year ago saying he wanted to understand secure coding. For me this was awesome, so my initial response was to send him away to study ethical hacking of web applications and that's precisely what he did. What is the OWASP Top 10? How does it impact us? How can we go about protecting our systems?
Roughly a year on, he came back and asked me how he can apply his knowledge in his role. So, we made a pact. I provide him with all the tools and support he needs to find, understand and fix web application vulnerabilities and he goes and does all that stuff.
I'm excited by this, as it offers up an opportunity to replay this with other developers across our teams.
Accountability
Paula's role covers compliance AKA quality. Compliance with ISO this, ISO that and all other standards that our firm either currently holds or aspires toward. She's actually responsible for keeping us on the straight and narrow, auditing us, facilitating external audits of us and making sure we're either doing what we should be doing or justifying why we aren't.
Her role is pivotal to a substantial security posture, as she provides the required scrutiny and oversight that makes damn certain we aren't painting over the cracks, using smoke and mirrors, or frankly not doing the right things.
I also work closely with Paula on our mission to deliver compliance with the GDPR. That's covered in other posts. Suffice to say we've formed a pretty capable team, recognised by the people at the very top of our company.
In a nutshell, you need due diligence when it comes to information security and Paula has that well in hand.
There are a few other folks, but the people above are key to our current information security posture.
It's all about the people.
What next?
As our need to remain vigilant to threats increases and as our need to put in more robust controls against incidents follows that pattern, the more we'll need to formalise some of the roles required to ensure these things happen. Goodwill or filling gaps won't take us far.
I'm looking forward to more people being paid to care about the subject and I'd like to think it'd be some of the people mentioned in my post. I have no control of that, but that's my hope.
We're in the process of recruiting a Head of Information Security, which is a brand new role. Someone with responsibility for defining strategy and objectives, crafting plans and leading us to our next stop on the journey. Again, this is a really positive step change for the business.
Part of that will also be the creation of a team, or teams that will realise those objectives. I'm looking forward to being a part of that, but also to hopefully working in a more formal capacity with some of the passionate and capable people I've talked about. Let's see.
I'll keep you posted.
Thanks for reading.