I've often pointed out that information security management has become far too slow, bureaucratic and process driven. It's because of the backward-looking culture created by governance, standards and compliance. Old fashioned quality management concepts such as Deming loops and Capability Maturity Models have much to answer for.
In much the same way that security needs to learn from safety thinking (which is at least 50 years ahead in terms of understanding the nature of incidents) or modern military doctrine (which recognises the importance of speed and empowerment), so it should also learn from software development (which long ago changed its methodologies to enable faster and more responsive results).
A good example is the Manifesto for Agile Software Development set out more than a decade ago. It succinctly states that:
"We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value:
- Individuals and interactions over processes and tools
- Working software over comprehensive documentation
- Customer collaboration over contract negotiation
- Responding to change over following a plan
That is, while there is value in the items on the right, we value the items on the left more"
Security professionals should note these points, because the key to effective security is not reams of policies and tick-lists, but empowerment, effective solutions, large-scale collaboration and agile response.