Throughout my time working in IT, security has always
been important. As more and more things move online, ensuring good data
security practices are even more crucial. What you do with your data, both
personal and data for your company, can be a decision that leads to horrible
results or can make your life easy. While securing your personal data is
something that is on you (and your family), making sure that data for the
company that you work for is secure can be an entirely different challenge.
I’ve spent the day at the DevOps Day in Minneapolis and
it has been a great conference to go to. If you work in a development or
integration environment at all, I could not recommend this conference more. If
you think you want to work in this environment, it’s also great to attend.
There are a lot of wonderful things that you can learn and people that you can
meet. It’s an amazing networking opportunity.
Megan Carney discussing the idea of working with users |
Since security is so important, one of the key points
that a number of the speakers and sessions addressed here today was security
and how to you maintain a secure environment. There were a lot of ideas out
there and each company does things a little bit differently. All of the
speakers did address a similar idea and it is one I honestly hadn’t heard
talked about much before – security has a shared experience.
Most everyone is familiar with the Bastard Operator From
Hell (BOFH). It’s the IT person who sits high upon their throne and issues
edicts and proclamations, usually appearing arbitrary and capricious, to the
masses of how things will be done. In the BOFH’s world, there is no room for negotiation
or compromise. Those who try to offer suggestions or alternatives are met with
scorn. Obviously the BOFH has the most experience, knows what is right, and woe
be to the peasant who would dare defy the all-powerful BOFH. (Side note: I blissfully
have never had to work with somebody like that. The IT director where I worked
was *wonderful*)
The problem with the BOFH model is that there is no
incentive to work with the person. And with no sense of shared experience or a
desire to collaborate, people who work within the company may not have any
reason to buy in to a security program or follow procedures, that while
appearing arbitrary and capricious, actually have merit and that are probably a
good program to follow.
Megan Carney (@PwnieFan) gave a wonderful talk about
InfoSec and how security is everybody’s responsibility. Both she and Jeff Smith
(@DarkandNerdy) continually emphasized that you need to get out and talk to the
people you’re working with and get buy-in for the things you want to
accomplish. This is so true in the security realm.
If you follow the BOFH model, you will never get full
buy-in from your users. Without that, they won’t feel comfortable coming to you
when there are problems, which there will be problems. Nobody knows better
about issues brewing in an organization than the people who are right in the
thick of it. If the people that you work with don’t feel comfortable talking to
you, issues will become buried until it is too late. Trust me: you don’t want
to find out about a security issue the first time because you’re leading the
local news for a massive data breach.
Jeff Smith warning on the by-product of DevOps and making sure Security is considered. |
Avoiding the BOFH model also ensures that people that
work in your company aren’t just going to try and go around you to do whatever
they want. If people feel comfortable talking to you, they will come to you to
make sure an application is safe to install or that new app is ok to use within
the business. Keeping these lines of communication open are key to ensuring a
secure environment. It also helps to document your processes and progress in
terms of validating and verifying to applications and libraries. This lets
people know what you’ve done and looked at and why decisions were made. This
way if an application was rejected for some reason and that reason has been
addressed, you could know to go back and try it again.
I think the best line I heard that really sums up the
idea came during one of the Open Session discussions on security. Eric, whose
last name I do not know, said “Figure out how to turn they into we.” The idea
here is that you never address security in the mindset of “They need to make
this change” or “They need to improve how they are handling this”. It should
always come from a place of “we”. Once that mindset is in place, security
becomes a team effort and much easier to maintain.
No system is ever going to be 100% secure. Software is
written by humans and humans make mistakes. Our job in IT should be to try to
minimize security issues as much as possible and to minimize the damage caused
by them as quickly as possible. Doing that from a BOFH model is an approach,
but it’s not an effective one in a world where so much collaboration happens
across teams and across platforms. Working together and keeping open lines of
communication with those that you serve is the best way to ensure that you are
running in the most secure environment possible.