To be rugged is to be resilient in the face of the unexpected
It’s no longer sufficient to leave security to a team of specialists who watch over the enterprise’s risk posture and control it through a set of constraining policies. It’s not enough to guard the boundaries of the enterprise’s network with firewalls or simply implement sets of controls specified in a compliance framework. Security has become everyone’s job, and its management has become a strategic concern of the enterprise. The way forward is for the enterprise to build a culture of security, an awareness of risks and controls, and a set of norms and practices that align with keeping the enterprise secure.
It’s traditional at this point in an article on security to tell frightening stories of companies humbled in the face of the vulnerabilities that they left to be exploited by bad actors. I’ll abstain. We are all well aware of these threats already. More importantly, we must get used to thinking of security as a positive thing, a way of building, acting, and making decisions that’s just something we do naturally as builders and enterprise executives. We must treat security as part of our culture rather than reactively responding to specific threats as they’re encountered.
As soon as an enterprise deploys an IT capability, innumerable attempts will be made to hack it. But the threats to our systems come not only from bad actors; IT systems can also be defeated by bad data, unexpected surges in usage, untested edge cases involving concurrent operations, cascading failures, and speed issues that multiply geometrically. In order for our systems to securely perform their jobs, they must also be scalable, resilient, available, well tested, performant, and tolerant of failures and unexpected inputs.
Security is a matter of quality
There is good news here. Security is, in the same sense that quality is, often said to be free. In the same sense that basic hygiene is (more or less) free—washing your hands, for example. In the sense that it’s cheaper to build in security rather than add it later. Security is a type of quality.
It’s about ensuring that IT capabilities will continue to work as designed when placed in real conditions—that is, under attack and facing the unexpected.
To read full download the whitepaper:
Creating a culture of security
