Maksim Kabakou - Fotolia

Security Think Tank: Involve all stakeholders to ensure smooth, secure change

How can development, operations and security teams collaborate around change to ensure security is maintained and even improved?

In smaller companies, there is typically just one person looking after IT and its security, while others in the firm will undertake software or application development on an ad-hoc basis. Bigger companies will generally have a dedicated development team, operations team and a dedicated IT security person or team.   

Maintaining and/or improving security during change can be a challenge – and the challenge is the same for companies of all sizes.

The following key points must be covered when addressing security matters during change and on an ongoing basis.

First, ensure that both the security people and the operations people are involved with any project from its inception. It is easier, cheaper and far more effective to build security in from the beginning rather than add it later, like a sticking plaster. 

Also ensure that the business is involved. After all, the end product should be what the business actually wants, not what it is believed to want. A change of application design at the last minute because a desired feature was missing can have an adverse impact on an application's security and/or manageability.

Second, ensure there is a formal change management process that involves all stakeholders and captures all changes. In other works, a project should not be able to bypass the change management process because a project board has authorised it for deployment.

Third, ensure that the development area implements the same patches on the same cycle as the main business and, of course, ensure that security patching is up to date and not running months in arrears.

Fourth, ensure that, in any change involving a new piece of software or an application where issues were encountered during its installation, that these issues are documented and discussed by all stakeholders at the earliest opportunity to identify improvements in either the development or deployment process.

Finally, establish and maintain regular meetings (monthly recommended), which can be informal, between security, operations, development and business. The purpose of these meetings is to exchange ideas, discuss industry happenings such as new products and security briefings, discuss potential new business areas and what that might mean in terms of development work, and to discuss any issues identified in the previous period.

Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.

Read more on Hackers and cybercrime prevention