The way to make security make sense to anyone is really in helping them to understand how security is just another sensible outcome in making their venture and business successful. It does not need one to be a genius to achieve that. Really?
We don't stop playing because we grow old; we grow old because we stop playing. " - George Bernard Shaw
You just need to engage ones' senses and sharpen what make sense to the users. Security cannot be an afterthought.
If you can't explain it simply, you don't understand it well enough. " - Albert Einstein
Security can make "sense" in your project environment. Take from an inside-out , outside-in telescope view of the people involved, the potential threat faced. Understand how the people are going to be affected and measures to be taken to address concerns and what matters to them most, e.g. overall project deliverable and timeline.
For example, exercise your innate sensory and guide the project team to build in security early into the project. This will help them stay compliance and not suffer a "U-turn" (e.g. end deliverable prior to commissioning only surface out there are inadequate controls, and it may be too late for any changes).
We can take on a proactive "role" and stay agile. Be prepared to take up different roles as threats evolve. You really need to exercise all these senses to sharpen your security objective and ultimately always keep the defense strategies up to date. These constitute to achieving coherence between security design and system architecture developed. They need to be comprehensive and not to introduce unnecessary risk exposure due to miscommunication or silo team especially for big organization or when there are extended partnership involvement.
Here is an analogy to stay proactive and take on the "animal" sense to adapt defense to threat faced.
|Porcupine Defense Mechanism - If a predator gets too close, the quills will dislodge off the porcupine and stick into the offending animal. Quills grow back.
Hedgehog Defense Mechanism - When threatened, hedgehogs will roll into a tight ball so their spines protrude and their hands, feet, and faces are tucked away.
Armadillo Defense Mechanism - Its entire body covered with bony plates, which makes it appear as if it is really wearing an armor. Rest in burrows
Pangolin Defense Mechanism - Similarly, it has a protective armor and it is a large keratin scales. But it stays on the ground and stays on the ground (no cover).
Need to take a risk measured approach
To stay well defended with good senses, you need to have (or encourage) agility such that threats can be blocked out sufficiently by the control deployed. Gain greater confidence with a proactive stance to deter the adversary and block them out. Exert further "stress" on them to gain a higher vantage. You do not have to be an easy target.
Having said that, the approach taken really depends on the risk appetite level and be prepared for side-effect repercussion and failure. In any good planning, there is always need to have a contingency in the event the damage increase beyond the security controls to contain it effectively, e.g. controls went into a denial of services leading to outage, a zero-day discovered without any patch to the partners' managed system, etc.
This is not unexpected but it takes us to be actively identify such area that need more attention. A proper risk assessment is requires and a regular review is paramount to keep stakeholder well informed of the residue risks and what are done to bring these to an acceptable level.
For example, during a sophisticated external attacks, watching over your perimeter security may be a distraction as it remains the stealthy insider threats which require you to still maintain a good oversight of all privileged staff and 3rd parties access while the attack at front continues . Stay proactive and be agile to adapt to changes in the situation. Things can get ugly if you do not stay on top of things and the damages can drastic and lead to greater impact.
So what can we do?
For coherence in the defense approach, get the Operational, IT and security team involved. Have this hybrid team as there is a need for an Ops tech defense approach. Silo team cannot work well in agility. Orchestrate the security and IT controls such that centrally the Operational team maintains command and control to detect and respond seamlessly to keep stakeholders informed on any security and IT incident in a timely manner.
For automation of control and measures, first is to identify human manual processes, and find out where they are heavily used. Check for any past incidents due to human error. Manual processes are error-prone. Rethink and synergize to build network with the Tech community and IT vendor to promote more use of technology. Be opportunistic - there is no silver bullet or 100% perfect solution that can give you a zero incident rate.
Adopt a "Fail Fast, Learn Fast" Mindset
Get it FIRST time RIGHT
Be Pragmatic and ALWAYS prioritize
Nurture an Inclusive Learning Environment
Identify the Champion and develop an Outreach programme to get buy-in from ALL
Exercise good principles and encourage exploration practices
Ultimately, the whole gist is that without preparation (like going through the above), it will be difficult, if not impossible, to stay ahead and ready when a breach befalls on the organization.
In this fast-paced cyber ecosystem, learning never stops.
Live as if you were to die tomorrow. Learn as if you were to live forever. -Gandhi, Spiritual Leader
Stay resilient and always be prepared to adapt to change.
Keep learning. Learn from role models. Put knowledge and experience into practice. Walk the talk!