Where oh where do I begin? I’ve always been a ‘security’ guy, because that’s been my course of study; from cyber bootcamp through to CISM and my Master’s degree.
However, my eyes were opened when I joined my current company. It’s very easy to consider us a ‘cyber’ house because we bake security into our products; however after a little while I realised that it’s an unfair assessment. I once heard a quote – ‘hospitals would be much more efficient if there were no patients.’ To be honest, security would be a lot easier if nobody turned their systems on too. But alas, we need to deliver capability otherwise people don’t eat, the lights don’t switch on, the water doesn’t run, and all sorts of nasty ‘other’ things happen.
This brings me to the crux of this (albeit short) article. A lot of security conversations involve retro-fitting controls into an already active environment – and that’s ok(ish); however as any security expert will tell you, the best solution is to build with security in mind.
Now here’s the rub. Without employing a security architect to help with your construction, you are effectively runningw blindfolded through a forest when it comes to controls. Budgetary constraints mean that organisations skimp on their protocols, effectively inducing tech (or security) debt from inception.
Here’s where I absolutely love being the link between an IT and security person. By understanding the environment in which our customers deploy, I get to facilitate building tech stacks that are implicitly compliant by design – then maintain compliance using automated tools. By building out these environments with a true security focus, the end result is a customer who can perform their role without fear of breaching their organisation’s risk profile – which to be honest is really damn cool!
This brings me to a point of contention; which should take priority between security and capability? To be honest, I don’t really know the answer – or to be more accurate, ‘it depends.’ Yes, an insecure environment in certain instances can do immeasurable harm; however there is still an implicit need to deliver outcomes. I think it comes down to your primary function; engineers and operations teams will (traditionally) always focus on the delivery, whereas security teams will focus on making sure that risk is managed appropriately.
My challenge to you – all of you – is to imagine a world where we don’t have to choose. By coupling security with development and operations (a true DevSecOps) approach, I truly believe that ‘secure by design’ will be the way of the future. The good news is that the tools are available – we just have to keep an open mind as to how we can use them best.
In conclusion – capability first, security always – but it always comes down to managing risk. And that, friends, is the nature of the beast.
Shep's Blog 
Leave a comment