In my normal course of consulting, I help a wide range of clients across disparate industries build coherent and comprehensive strategies for cyber security. It is challenging but rewarding work dealing with the effective allocation of talent and millions in capital.
As much as I may harp on the imbalance of culpability between computer system owners and software manufacturers, the reality is that users of software (i.e., computer system owners) will always need to invest and act wisely when it comes to cyber security. To create effective strategy – and what I mean by this is not just long-term resource allocation, but a pathway to substantially higher performance – is not nearly as easy or “clean and neat” as some compliance-focused, check-box-happy auditors seem to crave. To me, strategy has an inherent aspirational quality that audit rules simply cannot support.
In simple terms, strategy is messy work…and it always will be. There are no appliances or security products that deliver strategy. But in the effort to control this messiness, we, like other consulting firms, employ frameworks by which to approach strategy development. Frameworks are beautiful things because they allow creativity and innovation to thrive within a structure that itself evolves based on how one approaches particular challenges.
As messy as corporate cyber security strategy might be, the messiness of software development is far greater. Developing software is both an act of engineering and a work of art (as the madness that comes from coding three days straight attests). This means frameworks for software development are all the more important. This, and other reasons that I will state shortly, is why the recent work released by Cigital and Fortify is so wonderful. The work is the Building Security In Maturity Model (BSI-MM) and represents a distillation by the authors (Gary McGraw, Brian Chess, and Sammy Migues) of nine “world class” software security programs. In short, the BSI-MM promotes better software based on practical experience. This is welcome.
The BSI-MM (http://bsi-mm.com) introduces the Software Security Framework (SSF) organized around 4 domains and 12 practices. Most importantly, the SSF provides the needed yardsticks necessary to diagnose and analyze Current State. This is challenging enough for any organization, particularly involving software development for which the BSI-MM is targeted, but the real challenge is Future State…the pathway to better software development …of which the SSF again provides a rational and coherent approach (think metrics and traceable practices among other things).
For software development groups that constantly struggle with delivery pressures, an aspirational pathway to deliver better, more secure software is critical. It also benefits us all.
The crux of the issue then, as it is with all things human, is adoption. Frameworks are beautiful and useful things in the right hands, but incentives must exist for those hands to pick up and use the frameworks. The desire to reduce the frustrations and expenses related to cyber security compliance is what opens to the door to many of our strategy engagements. In contrast, there is no similar compelling entry point (it doesn't have to be frustration or expense by the way) in the software market except for good will and good intentions of forward looking software manufacturers. Good intentions are fine, but not enough. New purchasing requirements are changing this to a small extent, but until better software can easily and reliably be distinguished from other software (and good intentions lead to substantially higher profits and improved competitiveness for software manufacturers), we face the rather frustrating situation of great models like BSI-MM in not enough hands.
What we do have in the BSI-MM is another step in the right direction for better software. And that is something we should celebrate.
Comments