Re: Should Security Team Be Split?

From: Bennett Todd (bet@rahul.net)
Date: 09/12/02 

Date: Thu, 12 Sep 2002 13:18:55 -0400
From: Bennett Todd <bet@rahul.net>
To: "A. Bluecoat" <abluecoat@hotmail.com>

2002-08-23-13:34:55 A. Bluecoat:
> My company is thinking about splitting up the security team
> along the lines of Plan, Build, and Run. Planning being crystal
> ball stuff and oversee of security architecture. Build is the
> implementation of projects and Run is the actual day to day
> maintenance. We would all report to different bosses.

This is how the biggest companies do it; there's an architecture
design group (your Plan); they most urgently need to keep up with
all the latest developments across the board, both in threats
and in defensive technologies. They also need to have a detailed
understanding of end-user requirements. They negotiate with the
engineering group (Build), to make sure everyone agrees on how
things should be done, and that the Engineering group agrees to
acquire the expertise needed to make a proper production packaging
of the solution; this packaging includes documentation that's handed
off to the operations admins (Run); they have to approve that
documentation before the handoff succeeds.

> Our thinking is we should stay together as a team. The lines
> between Build and Run blend in so many areas. There is also
> knowledge transfer and the general sense that we are all on the
> same page.

There are certainly overhead costs associated with this sort of
partitioning. They are repaid (if the system works well) by more
mature, carefully planned and documented facilities and better
change management, which in turn leads to fewer unscheduled outages
and better support.

But it ain't cheap. I'm almost tempted to say, if you have to ask,
you can't afford it; I don't think I'd pioneer this sort of change
management process into a new company using the firewall plant as
the test case; I'd keep security design/eng/admin in a sticky gooey
blob while introducing change management somewhere that's easier ---
web content publishing is favourite, internal app development
delivers some of the biggest rewards. Leave the firewall admin for
after the whole organization has gotten a feel for this approach
elsewhere.

-Bennett

Relevant Pages

  • Re: BNP MAKES HISTORY
    ... They have thrown everything except the kitchen sink at this Party and still we rocked home to Victory! ... The British Nationalist movement is on the rise - our determination, ... The recent diabolical attack on our peaceful press conference outside Parliament by UAF thugs, and the attacks on our activists during the Euro Election campaign, shows us that we need to invest in our outstanding and totally dedicated Security Department. ... We desperately need to support our wonderful Security Team. ...
    (uk.local.southwest)
  • Re: Bush Lies Every Day About Dems Lack Of Security Plan
    ... Proof That Bush Lies Every Day About Dems Lack Of Security Plan ... about the lack of ideas coming from Democrats on national security. ...
    (rec.sport.tennis)
  • Miserable Utter Failure: Iraqs "Security" Plan
    ... Miserable Utter Failure: Iraq's "Security" Plan ... Maliki's security plans seem conspicuously incompetent on the ground in Iraq. ... militias were still active in Baghdad and the rest of the country. ... Prime Minister Nuri Al-Maliki put together a security plan two ...
    (soc.culture.iraq)
  • Bush Lies Every Day About Dems Lack Of Security Plan
    ... Proof That Bush Lies Every Day About Dems Lack Of Security Plan ... about the lack of ideas coming from Democrats on national security. ...
    (rec.sport.tennis)
  • RE: Education and Security
    ... I have looked into that Degree plan also. ... I chose computer science because that was ... Subject: Education and Security ... courses that taught business concepts as well as technical concepts. ...
    (Security-Basics)