Information Technology

Dealing with security is an important part of my job. From my perspective, I would like to make my servers as secure as possible while allow business to conduct their business without too much burden. It is always tricky to find the middle ground between the security and business, but the lacking of communications is the main problem. Just say no (seems like a very popular these days in all aspects of our society) without any explanations nor any constructive suggestions does bother me. I am glad Jeff is talking about the importance of security and communicates the reasons within his organization. Such communications are critical to understand and balance the needs of security and business. I believe there is at least one solution out for each problem in the IT field, but no solution is available for undefined problem. More importantly, Jeff is educating his peers within the organization so they can understand where his perspectives are coming from and work with him resolving any potential security issues. With cyber space crimes are increasing dramatically in the last few years and stores about security breaches appeared in the news are so damaging to the company, business and senior managers realize the importance of keeping company out of unnecessary spot light. I believe what business and other IT departments do expect security folks to communicate in understandable and plain languages so they can be addressed in the business processes and policies across the organization.

The other item I like Jeff talked about is to put security concerns in the processes so we don’t have to retrofit later. Different organizations have different processes to complete projects. Some leverage security staffs during the designing stage that put security issues up front. Our organization has a different approach to design a new application, involving architect team and project management team throughout the project’s life cycle. In our case, architect team is aware of some tools and ways to address technical security issues. However, not everyone on the team has the same level of security knowledge. In order to standardize security, it is necessary to provide security training so all team members have the necessary knowledge to apply security concerns in practices. From project management’s perspective, there should be a standard template that includes security as part of every project within the organization. Combining two teams and building a standard will ensure future projects to meet security requirements at the beginning and not have to rework when security becomes an issue that have to be addressed.