For many years, security has had a reputation for acting as a brake on the business. This is typically because of a perception that security functions are only there to say “no”. I’d argue that this is not always the fault of those responsible for security. Now, I’m not saying that there are no intransigent, belligerent or draconian security types out there (I’ve heard there are plenty outside of our own little group ;-)) however I do believe that project and programme managers sometimes take advantage of the bad reputation built up by “security”. What do I mean by this? Well, I’ve seen many programmes and projects over the years that have been set overly ambitious targets and which, at some point, realise that they are on the verge of failing. At this point some bright spark will note that “security” have yet to be engaged on the project. Upon late engagement, the security expert will then point out all of the standard security requirements that have not been incorporated and will immediately be painted as an impediment to delivery and the prime reason why the (already failing) project can no longer deliver the requirements of the business. Security can be a great fall guy.
What can we do about this? From the security perspective, we need to make sure that we are engaged as early as possible on new programmes and projects. The best way to do this is to build up direct relationships with the business. This then enables security requirements to feed into the very beginnings of delivery. A tight working relationship between security and the business is also critical to success in any Agile development – security elements must be embedded within the user stories rather than tacked on post software delivery. From the project and programme management perspective, you need to engage often and early with the security experts – whilst you may lose a convenient fall guy, you will increase the likelihood of successful outcomes overall. Let’s work together to improve the unfortunate reputation of “security”; we’re here to help not hinder!