Bear with me as I ramble a bit in this post. Something unpolished but didn’t really want to lose. I’ll reserve the ability to completely change my opinion!
Which one of these will realistically get us the farthest in security? Choose only one.
- administration: managers/execs/policywriters
- techs in the trenches
- secure code/architecture i.e. “build it secure”
Yes, the best answer is clearly a combination of all of the above.
But for the sake of argument, let’s say you can only pick one horse to put your money behind. Which one gives you the most realistic chance?
– administration: managers/execs/policywriters – This is your typical layer where policies get written, strategies formulated, and employees managed. To me, this is a necessary layer, but alone they don’t do a whole lot without the support of everyone else, much like a policy with no enforcement. There is also the devil of being too abstracted from the real goings-on to be effective, or to live in the correct reality. Do they say security is working but have really no way to back that up? This isn’t always the case, but it is the devil they must battle. And that’s assuming their employees are even following the decrees made… A good aspect on this might be the guys who manage appliances on a broad level to create statistics or whatnot. But do we really want to lean heavily on Big Boxes?
– techs in the trenches – This is where I’d put my money. The people on the ground and in the trenches. Sure, they may have some weaknesses like enforcing security with no real policy or guidance, or a lack of focus, but to me they’re the ones who will always do the implementations, detections, and investigations. These would be the guys and gals who, if you gave them 8 hours a day to “do security” and left them in a room, they’d implement all sorts of wild things that can be extremely effective. If you get them even slightly working with the rest of business rather than just in their caves, they can be a real force.
– auditors/testers – This is your group of people who both point out all the wrong things you do, but also hopefully point out how you can do things correctly. A powerful group, but I think they ultimately rely on finger-pointing and may not, directly, actually get anything done. Given a high degree of intelligence and knowledge, though, and those rare individuals are exceedingly valuable. On the testing side, their research and automation are hideously valuable.
– secure code/architecture i.e. “build it secure” – This is a great approach, but I think the “realistic” part really kills this. I’ve talked about the caveats in this group before (and can’t find the post[s]), so I won’t get into detail. But if technology didn’t change and economics shifted to value security, this could be a powerful group. Sadly, while important, I wouldn’t bet on it as my horse because it just isn’t realistic alone. Technology changes faster than we can learn it enough to secure it properly upon creation; economics pushes function before security; etc.