Protect IT Group

People who are part of the Protect IT Group are typically information security and compliance professionals who are responsible to minimize business risk in IT systems.

Overview

People who are part of the Protect IT Group are typically information security and compliance professionals who are responsible to minimize business risk in IT systems. They establish and maintain policies, processes and procedures to help ensure application changes are secure and regularly evaluate IT systems to identify vulnerabilities.

Values

Manage and minimize risks, protect our systems, data and business from cyber threats everywhere, inside and outside.

Culture

People, process, technologies are a constant balancing act. The goal is to have enough of each. You can’t be 100% secure, but need to have a layered approach to security. While security does introduce friction, the goal is to enable the business.

Personas / job titles

Security Operations, Security Analyst, Application Security, Penetration Tester, others

Challenges

Expected to protect everything, but rarely involved in projects early or often enough. Frequently blamed for project delays and rework. Often late in SDLC, an isolated team, not included in developing new requirements, testing etc. From an operational standpoint, signal fatigue is a real problem.

Ideal world

Because security is never 100%, ideally, we would have both proactive and reactive capabilities. For example, application security and shifting left would be proactive measures, along with secure SDLC training for developers. On the reactive side, we have security operations and red teaming capabilities that catch what wasn’t discovered earlier in the process. All of these capabilities need to be driven and governed by policy and process, and adequate technologies need to be deployed to ensure success.

Last modified June 27, 2024: Fix various vale errors (46417d02)