Wednesday, August 15, 2012

Do security like a start-up or get fired

I've given this presentation twice. The first time was at AusCERT this year. The second was at the Banking, Finance and Technology Forum in Mumbai back in June.

I've since moved on to another topic as I do the rounds at various events, so in the spirit of sharing and hopefully getting your thoughts, I thought I'd turn it into a series of blog posts.


In my travels speaking with and consulting for organisations across the world (including a large volume across Asia Pacific more recently), I've come to observe the good and bad things that organisations do when it comes to security. I won't dwell on the bad. Instead, I've picked out 10 considerations that agile companies tend to focus on in dealing with IT security. I use the term "agile" here purposely as it is appropriate when describing companies that are dealing with the current, external pressures (e.g. cloud, mobility, consumerisation of IT) better than most. Many of the points I highlight should be Security101 for many security professionals. But in limiting this to a list of 10, I'm aiming to focus on what is important in today's enterprise in being better placed to deal with the pressures organisations are facing.


Let's set the context. In using the term “start-up”, I’m talking about a mentality, not necessarily a start-up company. Let me be clear. There are certainly start-ups out there that don’t care about security. But what about those that do? Why do they even care? What are they doing about security? How are they similar to the enterprise? How are they different? Are they doing it right? Can we learn anything from them? In addition, There are some big name companies out there that can hardly be called start-ups anymore, but their culture remains very much in the spirit of a start-up. You don’t necessarily need to be a small little company to adopt the mentality of one. That is the point I'm making: it's all about having the mentality of a start-up so you can start executing like one. Mindset is often the most difficult thing to change.

Here are direct links to the 10 considerations (links will be posted/updated as they are published):
  1. Trust, brand reputation.
  2. Evolve from “no” people to creative “yes” people.
  3. Do or do not. There is no try.
  4. Security is an ecosystem across companies.
  5. Manage risk appropriately, not compliance.
  6. Own your security programme.
  7. Evolving IT security teams.
  8. Identity is the foundation.
  9. Cloud and BYOD are just IT.
  10. Standards & APIs.

No comments: