- Key Mistake 1: Separate Camps
- Key Mistake 2: Uncommon Standards
- Key Mistake 3: Treating Business Processes and Usability as an Afterthought
- Key Mistake 4: Inadequate Security Testing
- Moving Toward Confluence in Enterprise Security
Key Mistake 3: Treating Business Processes and Usability as an Afterthought
If software developers and security professionals reside in different camps, line-of-business owners are not even on the campgrounds. Functional specifications don't always capture the true nature of business flows. Often, they represent the requirements that are desired, rather than the actual work processes. Discrepancies can occur for several reasons, but, regardless of the reason, convenience matters. Users must be able to use the system without cumbersome, unnecessarily complex security requirements (from the users' perspective) that run counter to natural business flows. In a battle between business flows and security, business flows will win. More broadly, in a battle between convenience and security, convenience will win. This fact often translates to passwords written on notes adhered to computer screens, keycards left in desk drawers, security doors left open (yes, physical security must be at top of mind as well), and other equally troubling security workarounds.
Starting point for addressing this issue
Identify the full set of stakeholders: the array of senior executives, project managers, administrative and end users, network and system administrators, security operations staff, testers, developers, legal and regulatory affairs officers, and so on who have some interest in the security of enterprise operations and can ensure that business priorities, workflows, and usability concerns are considered from project inception. In determining stakeholder groups, ask these questions:
- Why are these players important?
- What is their typical background?
- What are the likely challenges to their participation, and how can you overcome those challenges?
This much broader vision of the security team facilitates collaboration across stakeholder groups. "Baked-in" security doesn't just refer to the technology; security also must be baked into workflow processes.