11B Business Security Requirements (and How We Might Recover from Them) presented at COSAC 2015

by Matthew Pemble,

Summary : One of the critical aspects of information security development and, particularly, security architectures, has been the move away from requirements and architectures based on security-driven designs towards designs based on business security requirements. A significant part of security work on projects has always been identifying who might know what the business could, should and actually do (not always the same thing) need, what these business requirements then are and finally reconciling them with the available (and affordable) technologies.
Security professionals have therefore been keen to get detailed requirements from the business at early stages of the project. Sometimes, now, these requirements doarrive. This is not always the very good thing that we might have hoped.
Businesses, whether executive leadership, operational managers or especially project and programme managers, often have insufficient understanding of the technical environment, the legal and regulatory environment, and the possible capabilities of current and proposed security controls. It is also impossible to fix insecure business processes with technology – no matter how brilliant a security architect you are.
Based on a case study of the redesign of the core systems and operational security services for a large financial organisation, with asides from other major projects, this presentation will discuss where the business can misunderstand security and generate requirements that are essentially nonsensical, counter-productive or just, simply, wrong. And what we can do about them, without retreating in to the old “Security knows best, security says “No”, paradigm.