Welcome to the first issue of Deploy Securely, a series focused on secure software development and delivery.
The idea for the name originates from an experience I had early in my Marine Corps career. As a young officer, one of my instructors illustrated an important lesson for me. Although some Marines would often say that “safety is the top priority” during training, this grizzled combat veteran pointed out that such a mindset was not actually the right way to think about things.
If the immediate risk of property damage, injury, or even death were the only thing to consider, the military wouldn’t really do any training because firing weapons and blowing things up - even under controlled circumstances - inevitably leads to accidents. Since getting ready for war was the purpose of training in the first place, and not being prepared for battle was itself a hazard, it made sense to accept some level of risk during training.
What my instructor proposed instead was to say that “training safely is the top priority.”
I think his phrasing illustrates a critical tenant of risk management: just by getting out of bed in the morning, we face many a danger, but must press on anyway (at least if we want to get anything done). The key, then, is to weigh this risk against the gain to be had from accomplishing our objective. If we decide that the juice is worth the squeeze, so to speak, then we should proceed while minimizing unnecessary risk along the way.
On the cybersecurity side, as the saying goes, “to secure a system well, we should power it down, encase it in concrete, and drop it to the bottom of the ocean.” Few people, however, would be willing to pay money for or use such a system. My hope is that Deploy Securely will help to build a rational framework for avoiding such maximalist positions and managing tradeoffs appropriately.
Unfortunately, I don’t think the industry has yet established the right equilibrium.
Those who manage information security risk for a living sometimes focus exclusively on the downsides of doing things that seem pretty cool to most other people, such as releasing software, building features, and even launching new products.
Conversely, many on the business side can appear cavalier with their decision-making and sometimes seem willing to accept any risk - no matter how outrageous - to grind out a single marginal dollar of revenue.
Neither of these extremes are appropriate. Rather, balancing the tradeoffs inherent to any software project (or company) requires a philosophy for evaluating - and acting on - cybersecurity, business, and other risks.
Thus, I intend to use Deploy Securely to develop just such a philosophy. Having learned many of these types of lessons the hard way in both the public and private sectors, I hope to share them with you (without the accompanying pain).
I may also make occasional detours for one or two posts to address adjacent topics or current events, but I promise I’ll eventually get back to the original focus of this series.
Additionally, I’ll plan to allow commenting for most of my posts. I have learned a thing or two about this topic, but I’m sure there are things out there that I don’t know or haven’t considered. I welcome constructive feedback and reserve the right to change my stance on things if presented with a solid counter-argument!
That’s all for this edition. In the meantime, please help spread the word by forwarding this to your colleagues or posting about it on social media!
Related LinkedIn posts