Saturday, August 17, 2013

The importance of feedback in IT security and ethical hacking

Feedback is extremely important for every person, team, department, company. I do not mean feedback, like "you are doing OK, keep on this way", but real unpolished "raw" (market driven) feedback: Does the product sells, are they bugs, are customer's complains, it is generating a revenue? (The feedback need to be interpreted in the right way for sure.)
The short period feedback is core element of agile development: build, try, correct and rebuild. Without a feedback, the professionals become less efficient and the system become a bureaucracy.
How about IT security? Security solution and policies need also feedback, but oft it is not the case in may companies. There are very important points to be addressed:
  • Do the companies know how may attacks they sustained and number of successful attacks?
  • How many security bug were found internal and how fast are corrected?
  • Does the security policies are controversially discussed and open-minded reviewed based on experience and statistics?
  • Are there mechanisms to avoid blind following on meetings? Are they anchoring effects?
  • Is it clear the resources and respectively money required for additional security?
  • Is it clear the consequences of not following the security recommendation, like cutting bonuses? The consequence of policy exception for the manager must be also clear, they also have bonuses in the case of security bridge because of the exception.
Even all these points are answered, there is no guaranties that the statistic (feedback) reflect the security situation. Potentially, the hackers were busy elsewhere or were on holiday :-) For this reason, it is very important to make protectively security test or ethical hacking. For example: the software departments make acceptance tests (Unit-Tests) and the security department a security tests (penetration tests).
The security department needs as much feedback as every other department. Do not hide facts from the security :-) Otherwise, it becomes bureaucracy.








Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)