This is part 4 of my series of things to consider for a software security program. The first part can be found here.
1. What are the biggest concerns?
List your biggest concerns and try to put them into context. Anything that is a concern can be addressed if you can define it and put it into the context of security. Examples below from my previous posts that are not unusual out there.
* Not much security awareness during development of software
* Hackers hurting your company
* Lack of resources
* Competition from other companies doing security work
* Internal company security competence
* Your own department competence
Put this into a roadmap of improvements with: Actions, delivery times, responsible person, budget etc. You will then have a way forward to transform a weakness into a strength.
2. What can you learn from other companies and from Internet?
Learning from other companies and from user groups on the Internet is recommended. In many cases there is already a solution to your problem out there. Read, listen and learn from those. There is no need to invent something if an acceptable solution already exists. The number of groups to address and learn from is huge. This applies to both F2F and closed user groups. Naturally you have to safeguard and respect your companies’ situation and rules. Spend your energy on where it is most needed. My findings is that companies have to work together in order to keep hackers away. Hackers are networking and use each other’s competences. In order to be one step ahead it’s essential that you learn from each other in a smart way.
3. Trends and statistics, is that in your toolbox?
Do you collect statistics? Do you use it? Do you show it to your manager? Is it on a dashboard?
If you can show statistics month by month, you will be trustworthy. For example; how many issues are registered, how many you solve and how many that is outstanding. You can show trends and focus or refocus on things with solid statistics. You can rather easy compare it with the resources you have available and see possibly 3-4 months ahead when you cannot keep the situation under control anymore. Compare this with trends from open external sources and you can verify what you see with international statistics.
4. Who will mentor you?
This is an activity that is often forgotten. You are in the lead in your company, and things are happening every day. Naturally you need help and support, we all need that. Find someone that you can talk to and get advice from on and off. You should not find a security person, but someone who can give you advice on how to move on in general subjects. Have F2F meeting 2-3 times a year over lunch/dinner. Use someone that is 10 years older than you and possibly have a wider experience than you have. You will find that the both of you will learn things from this and each other.
5. How will you educate yourself?
This is a problematic thing. How much time can you be away from the daily activities. You should spend maybe 5% or more of your working time on educating yourself. This world is not standing still and you have to keep up. As an example; if you are doing something else for 2-3 years and come back – you will find that most things have changed. The turnaround time for competence is about 3 years in this industry.
Investing in yourself is essential both for yourself but also for your company. Make sure to have time, resource and budget for it. Attend to seminaries and conferences.