5. September 2023 By Oliver Kling
Security professionals and the brain surgeon paradox
I would like to start with a few hypothetical questions for you that may seem somewhat unusual in the context of IT and application security. However, I would like to use these questions to postulate a fundamental idea that has been on my mind for quite a few years, which centres around the topic of providing an adequate level of security expertise in development projects. For this I would like to take you on a little thought excursion:
Would you have brain surgery if the surgeon scheduled for the operation did not have a medical degree and several years of experience with brain surgery?
The answer is probably a resounding ‘no’.
Let us look at a slightly different scenario: Would you have an operation in a clinic that has a chief surgeon who has worked out precise guidelines and definitions on how to perform brain surgery, but there are still no experienced and trained surgeons?
This probably will not change your mind.
Let us expand the scenario: The chief surgeon has recognised the problem and offers awareness and expert training for this type of surgery. However, the potential operators have so far put this training to very little practical use.
You still do not want to have your surgery done there? Then perhaps with this change your mind:
The chief surgeon has launched a training programme for brain surgery specialists. This means that employees – possibly even according to inclination and prior knowledge – will be entrusted with the task of performing brain surgery in future. They are specially trained for this, but actually still have another job.
I can hardly imagine that you would be willing to go through with it now, or would you?
What does all of this have to do with IT and application security?
Comparing brain surgery and security is a bit of a stretch, no doubt. But they share a few, if abstract, similarities: In both cases a lot of knowledge and experience is involved, and in both cases there are indeed proven experts. Moreover, both fields have a certain complexity and cannot be learned, even partially, in a short time.
Why am I so keen am making this comparison, even though this is all very general? Quite simply, in software development we often operate in very much the same way. We start by appointing a Chief Information Security Officer who issues guidelines and policies, then we start a training programme and last but not least we implement a security champion programme.
This means that in the final stage of evolution, the security champion programme, we put technically experienced employees through a particularly detailed training programme. The idea is to have enough experts spread across projects and organisations to handle the topic of security ‘locally’ in their context and to provide answers to essential security issues.
Such a programme can work, and there are plenty of excellent examples where this approach actually delivers good results. However, it is left pretty much to chance whether a developer or an architect who is also entrusted with this task has the time and experience to sufficiently support their project in security matters.
What would be the alternative?
Quite simply, the provision of security professionals who have earned the title and bring experience to the table. This could be organised centrally or at the department level. It is important that they are genuine professionals who have delved deeper into the subject matter and have accumulated a great wealth of experience over time.
The standard counter-argument is this: ‘This does not scale at all!’ I hear this statement very often.
However, I do not think that it is true. If you want to get serious about building secure applications, some effort is required. Whether you put a security champion or a full-time expert to the task, the net effort does not change. Actually, experienced professionals tend to be much faster and more efficient, so on average they would need even less time to perform the same tasks. The cost is undeniably higher, but I think the results speaks for themselves.
In this scenario, a full-time security expert will probably be in charge of several projects and thus naturally contribute to the implementation of certain standards across projects. This is even a win for software development projects. And what is more, security, which is often perceived as a pesky subject matter, is handled in a sustainable way without drawing on team resources.
What remains is the question of whether there are enough experts on the market or even in your company? Probably not, but that does not mean this cannot be changed. Referring back to our little story about surgery, if there are not enough brain surgeons, you can change this by investing in additional training.
How do we do that at adesso? Of course we train our developers and use documented guidelines. But we want to play it safe when it comes to security, so we have a team of experts dedicated entirely to the topic of secure software development. With this team, we support our own development projects at our customers’ sites, as well as customer projects, starting with the planning stage, that are carried out completely by customers themselves. Of course, the team already has experience that is continuously being developed through training and specific courses, for example.
In software development, a security champion programme is often used to promote security awareness. However, I champion experienced security experts for more sustainable results. This is the only way to set cross-industry standards and address the issue of security in a sustainable way. A lack of availability of skilled workers can be remedied by investing in training.
Would you like to learn more about exciting topics from the adesso world? Then take a look at our blog posts that have appeared so far.