A Different Model for Security Teams
There is, in my experience, a certain mindset among some information security professionals. They see themselves as the keepers of arcane knowledge, duty bound to hold the cyber-line, the last thing standing between common application developers and complete pwnage. They're the few, the proud, the ones who can shut it all down in the name of security. I'm not sure if it's a side effect of that field's association with the "intelligence community" or mere self importance; every profession has its foibles.
Unfortunately, apart from the usual objections to cops and special forces, I think that the metaphor leads to some dysfunctional tendencies in structure and strategy:
- security review as a checkpoint on the way to deployment
- preoccupation with active response instead of infrastructure
- expertise siloed in the elite security team
- strict adherence to policy over incremental progress
- pursuing improvements by imposing requirements ("laying down the law") instead of offering resources
I'd like to suggest a role model to replace the cyber-warrior: the guard llama.
A "guard llama" is a single llama (or similar beast) put out pasture with a flock of sheep to protect them from coyotes, wild dogs, etc.
The guard llama:
- mingles with its flock
- isn't so different from the animals it guards
- is capable enough to deter threats without being paramilitary
- does't take itself too seriously
These are all qualities shared by the most effective and pleasant security teams I've worked with.