That’s just infotech though? Essential, but only one small part of the whole. And bottom up, not organically a part of the whole. I work at a small company with lax security practices and very little support for better ones from the top, and I can see how security is always an afterthought when you are growing up, and later it is already too late to do it right.
No. The principle applies to the structure of the organization and it’s culture in the same way as to it’s software.
Walking skeleton comes from software engineering, yes, that’s where I picked it up. But I intended it as a more general metaphor.
In the same way that it is difficult to add security into a software that never had it, so is it difficult to add a security mindset to a workforce that never had it. The relevant touch points are missing everywhere. HR doesn’t know what to look for, it’s not an interview topic with sufficient depth, nobody asks you to assign a strong password, pen tests are done superficially because no one knows all the endpoints to test etc.
You have start talking about this from the start and grow all of them as you go.
That’s just infotech though? Essential, but only one small part of the whole. And bottom up, not organically a part of the whole. I work at a small company with lax security practices and very little support for better ones from the top, and I can see how security is always an afterthought when you are growing up, and later it is already too late to do it right.
No. The principle applies to the structure of the organization and it’s culture in the same way as to it’s software. Walking skeleton comes from software engineering, yes, that’s where I picked it up. But I intended it as a more general metaphor. In the same way that it is difficult to add security into a software that never had it, so is it difficult to add a security mindset to a workforce that never had it. The relevant touch points are missing everywhere. HR doesn’t know what to look for, it’s not an interview topic with sufficient depth, nobody asks you to assign a strong password, pen tests are done superficially because no one knows all the endpoints to test etc. You have start talking about this from the start and grow all of them as you go.