Many recent software development frameworks use the term “Convention over Configuration”. The main idea behind this, is to remove the need for a programmer to explain every detail of an application and instead only specify what the unconventional aspects will be. This should in theory, remove coding unnecessary aspects of the application that otherwise should be taken for granted. This results in faster development, simplified code and ease of management. Anything that doesn’t fit the ‘convention’ needs to be ‘configured’.
I wonder if this approach could be applied to the view of security, not only from a software perspective, but in general every day life? Security in terms of software is often seen as an add-on, an extra, something to do at the end or if something erroneous occurs. This shouldn’t be the case. Security should be built from the ground up from a technical perspective and from a process perspective should be considered equal to things like business continuity or the organizations marketing strategy. So instead of security being an extra, should it be seen as default?
From an IT perspective, many view tight security simply as using a strong encryption method or implementing a password complexity policy. Here I feel we are missing the point. Security is all about strength in depth. The use of rings or circles of protection the same as a fortified castle or strong hold would have been in times of “yester-year”. Information should be treated in just the same way, with protection coming from all levels including network security, application security, internal process and infrastructure security, right through to physical protection such as lock and key.
But security at these different branches of an organization, is often seen as being time consuming, costly and returning nothing in the form of investment from the bean counters point of view. This ironically, will probably lead to costly and short term projects that are a response to a security breach or a policy manifestation induced by not implementing the appropriate security controls in the first place.
It may take time, but information security will become more mainstream as organizations see the real value of being secure such as brand confidence, efficient process and reduced fire fighting. Until then, security will have to be treated as a ‘configuration’ item for most people.