A good friend told me that anengagedinformation security professional is one wholeads with the KNOW instead of the NO. This comment struck me and has resonated wellfor the lastseveral years. It hasencouraged me to better understand thedesires of the business areas in an attempt to avoid theperception of being the no police.
We are eachable to recognizethevalue in sprinklingin the information security concepts early and often into software development projects. This approach saves each of the stakeholders a great deal of time and frustration. Especially when compared tothe very opposite approach that often causes the information security team tolearn at the very last minute of a new high profile project that is about tolaunch without theproper level ofinformation security engagement.
There are certainly projects and initiatives that may very wellstill warrant a no from an information security perspective. Before we go there by default,I respectfully invite us all to KNOW before we NO.I truly believe that each of us can all improve the level of engagement with our respectivebusiness areas by considering this approach. In what areas can you KNOW before youNO next week?
Please leave what works in our comments section below.
Russell Eubanks
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.