Turning Practical Experience Into Cyber Software
Looking back across my tenure of working with and for large Enterprises in a variety of IT-related roles, it's been fascinating to see how the discipline of security management has evolved from a niche activity performed by the IT Infrastructure department to the all encompassing information security management discipline of today.
In my experience security management is an ongoing process that evolves over time in line with the ever changing threat model. Security does not end by installing a Firewall or Malware system. In fact, it is debatable that technology alone can deliver any protection at all if not actively supported by process. Frequently, however, the introduction of technology is seen as the solution to a company’s security issues, when in reality it often only provides a false sense of confidence and complacency.
My experiences at Deutsche Bank acting as Network Security Officer proved to me the importance of process and people in managing security. Working closely with internal Audit, I witnessed first-hand their obsessive quest for documented process that had to be consistently carried out. They understood that good security could only be achieved through the consistent and repeatable execution of well thought out and documented process supported by qualified engineers.
Consistency across the IT landscape is a huge problem for many organisations. A lack of consistency can be considered highly damaging to an organisation’s security posture and its capacity to adapt to change which in turn places the overall business at risk. Without consistency the notion of enforcing security remains purely academic.
This journey has led me to developing Caveris, a framework that enables organisations to structure their approach to managing security. Caveris has been developed with the underlying philosophy that security management can only ever be effective when performed in an ordered manner, i.e. consistent application of process leading to predictable results.