While being a bit buried up to my eyeballs in going through some industry statistics and reports today (which is why this is significantly later than “usual”), I came across some indicators as to why you and your team might be struggling to keep up with everything that shows up in your inbox for a “security review.”
How many projects do you touch in a given year?
One of the statistics I saw – mostly relating to larger business projects – was that an organization like the ones we work with typically does an average of 100 projects a year. However, from speaking to many of you, I know that the number of projects the security team touches can be double or even 10x that many.
Now, I’d like you to think a minute about those projects and what you do with them. In many cases, you might be “behind the curve” and the projects come to you for a security approval as part of some bureaucratic, linear SDLC process that has security positioned as a stage gate.
If that’s the case, what do you do? What kinds of information do you have about the project?
Is it a spreadsheet or document that’s a questionnaire the project team needs to complete filled with questions relating to our world, but not really having much to do with the worlds of the customer?
Sometimes we do this to try and get that leverage I mentioned earlier, because, well, there’s so many projects we touch. We’re often rather busy dealing with all the delinquent project remediations we’ve found, and, let’s face it, stakeholder engagement typically isn’t the strong suit of most security professionals.
So we put together these “security questionnaires” – and hey, we can even cite “best practice” recommendations for integrating security into our projects – but what do those questionnaires really tell us?
Do they give us the ability to truly identify and classify our projects as to where they sit in our world as security and what protection they require?
Are we able to focus on specific security policies, standards and controls they require so that we can highlight these to the relevant project teams as specific security requirements, so they can’t say, “We didn’t know about that,” or, “We didn’t think that applied to this project” when it comes time for that security review?
Because if you can, then that’s the leverage I’m talking about. And it’s the kind of thing every security team needs to find—not just for survival, but to actually be able to do the jobs we’ve been hired to do.
Putting this into a bit of perspective, a few other stats I found are relevant. In one study, it indicated that about 25% of projects were going to either be delayed or have their scope reduced due to cybersecurity concerns. If this is even close to true, that’s about 25 business initiatives that’ve been delayed or stopped by security—and some of the outliers indicated it was much higher.
However, what the actual value of the statistic is – or what it is in your organization – it’s the sentiment that matters. This is really where the root of security as being the Business Prevention Department comes from, because if you’re one of those business or IT project managers…
…and you’ve been conditioned that 1 out of every 4 projects you run are going to be delayed, over budget and you’re going to have to explain on a weekly basis to the business project owner that yet another week has gone by when they can’t have their new toy…
…human psychology tells us that when the run the other 3, they’re going to consider themselves lucky.
Because, we always remember and focus on the negative a whole lot more than we do the positive. It’s a human thing to do.
So as much as we might complain about the situation, point fingers and start justifying why it’s all their fault…
…we can’t let ourselves slip into that kind of adversarial “us” vs. “them” mindset. I know it happens, and this too is psychology. But we need to be stronger than that.
We need to be better than that.
Because at the end of the day, stopping or delaying projects doesn’t give us gold stars in the eyes of the organization for doing a good job.
It just gives us a black eye.
Now maybe the above doesn’t apply to you, and your organization is a well-oiled, agile and DevOps-ing delivery machine with fully integrated security, demonstrated alignment with the business strategy…
…and people stopping you in the hallways – or pulling you into a Zoom/Teams/Hangout – just to say thank you for keeping the organization safe…
…because the see the value you deliver every day.
And that’s fantastic.
Or…maybe at least some of what I mentioned above is stuff you’ve seen—or it’s stuff you live every day. And maybe…just maybe, you’re tired enough of working that way…with all the stress, the hassles and the waning excitement of the job you thought you wanted to do…
…that you’re ready to do something about it.
If you are, then maybe I can help. So, let’s talk about it. And if I can, we can start working on it as quickly as we can get things organized. But if I can’t, we’ll be able to figure it out pretty quickly on a brief call.
But we’ll never know if you don’t set it up. And you can do that simply by clicking this link, scrolling to the bottom of the page, and clicking the big yellow button.
Andrew S. Townley
Archistry Chief Executive