This question sprang to my mind during last few months in the current program that I am working for. On the paper, I am part of technical architecture team taking care of security architecture. It all started well with the solution architect drawing up solution overview which mainly is the representation of component architecture and I started with investigation of security (non-functional??) characteristics that the solution needs to exhibit. As it always happens, all security requirements - both functional and non functional are pushed under a single category called "security requirements" which are mastered in non-functional requirements catalog. Having been in such a situation multiple number of times in the past, I took the mantle to approach this in a holistic way!! Good Approach !! That essentially means I, as a security architect, am responsible for application level security as well as infrastructure level security. Sounded a bit loaded role?! Nevertheless, having worked in both types of roles (application security and infrastructure security)in the past, I thought, it is a great opportunity to take up this wider role. For everybody else on the project it is like we have a "security" architect and anything that is even remotely related to security should be the headache of this person. Well ! I had no qualms because this is what I wanted to do and I can cater to this definitely from skills point of view if not from bandwidth point of view.
All well for a month or so and one of the managers found an unattended CD on somebody's desk apparently with some software on it. She straight came to my desk and said since you are responsible for "security" can you take this up? Inside me I was thinking "How could she possibly know that CISSP has a chapter of study that deals with physical security operations?" I have put up a defiant face and told her that is something security operations people need to take care. She gave me a look probably thinking "what am I paying this guy for?". It is time for me to talk to the chief architect and let him know that the program needs such a role because of reasons that seem to be naturally obvious but never seems to have occurred to the planners. Resource planning sheet seems to have a column "security" under which if you find a name that is enough??!! Surely, I have not had particular experience in security operations per say so to me the question is: is that what I am responsible for ??
Here comes solution risk assessment-interim report time of the project. Manager introduces me to "Risk assessment specialist". He hands over to me ISO 27002 questionnaire and tells me that against each section of questions I need to prove that the solution has design controls in place so that I can "pass the test". WOW ! isn't risk assessment supposed to be conducted by a person who is actually not the designer himself? Isn't it a fundamental security principle ? But then, anybody else is concerned, that is what I am expected to do anyway !! But to me: What am I responsible for??
Please don't get me wrong. I have no intention to blame any of my co workers or in no way mocking at anybody. I am only trying to highlight the amount of ignorance, sometimes, carelessness about the security needs of a program/project. This is indeed a vast area, it needs to be given due importance. Because of years of great persuasion of my security seniors we have come to a stage where planners, managers, architects realize the importance of security to the extent of having at least "a" security role on the program. But to my mind that is not sufficient given that we are executing advanced transformation programs/projects that produce solutions for a complex world filled with regulations, penalties, devious attackers trying break in by taking advantage of external, internal, social attack routes/vectors. Security planning is an important exercise and needs to be done in a holistic sense with senior security architects who can anticipate the security needs of a program/project.
