This is part 3 of my series of things to consider for a software security program. The first part can be found here.
1. Are there other security areas within the company that you should cooperate with?
In large organisations there might be many security organisations around. A few examples could be building security, parking, trespassing, management security, product defects, server/web security and PII. Make sure that the company has a process and procedure covering who’s responsible for what, as well as how things should be reported. Make sure to have this information on the intranet so it is easy to find for the entire company when reporting the incident. When an incident comes it might not be clear from the beginning what it’s all about for the reporting person and for which organisation. This is a complex area and the lack of a working process can delay a fix with days in worst case.
2. How will you look like compared to the competition in 1-3 years?
Is that important? Does it have it business impact?
“Yes” is the short answer. Some companies want to see that you have a security program in order for them to do business with you. It’s like an informal ISO certification. This is an area in high acceleration and many companies has been hurt badly brandwise and naturally also costwise. If you are seen as worst in class or not working seriously with security, why should someone do business with you when there are others to do business with? Your product could damage your customers seriously. So yes, it’s important to compare with the competition and to set your own goals on where you want to be 1–3 years from now.
3. Who handles media if things go south?
Plan for it now. Make sure that there is a process for handling the media and that people are aware of it. Stick to it. Media is fast, very fast. They know what they are talking about even if it sounds like they don’t. Give correct info and never try to get away with an answer that you don’t know whether it’s correct or not. Make sure to tell how and when you plan to solve the problem, as they want to know anyway. Also make sure that it’s the managers who can make the promises happen who talks to media. Media will check if you can deliver, trust me.
4. How do you plan for change?
We all know how things can change. For example, company direction and goals changes together with its organisation all the time. The profit of the company also varies over time. Make sure to think and plan for how that affects your area. This is back to keep management informed that you exist and tell what you are doing. As I have seen many reorganisations and cost saving programs, I can tell you that keeping management informed so that they understand your work is important. You might get a new manager in the middle of the cost saving process and you don’t know that person from before. Your strategy and what you do for the company is important to visualise.
5. IoT, Big Data, Cyber Security etc. do you have a plan for that?
Most software developing companies and any modern company is moving in this direction. There are not many companies that fully understand the consequences of this – certainly not security wise. You will have to learn the company about it at one point. Wherever you read on Internet you find articles about lack of security on Internet of things. This will explode at one point. Big data will give you privacy problems. Cyber Security has problems.
What to do? Start with building competence in the team. Start to inform the company about it. Find out how far they have come and how fast they are moving. See this as a new software security program because it will cost a lot of resources and time. Many IoT things are security wise immature and you will find things that you do not believe.