CIOZone.com - Professional Network for CIOs and IT Professionals

By Rafel Los

I've been learning a lot lately from one of my senior colleagues who's been doing this software security assurance thing much longer than I have... and the more time I spend with him the more I understand that it all comes down to one very simple question.

"Why?"

Whether you're looking to trick out your ride, or trying to implement some measure in your software development lifecycle - you need to keep asking yourself "why?".

The trick to asking why is that you can't just be satisfied with the first answer you get, or even the next 2 or 3. Keep asking why until you're satisfied that the answer is concrete and real enough to proceed.  Allow me to demonstrate.

The context for this example is a medium-sized organization retail organization. 

The organization uses technology, and by extension its web applications, as a business enabler - but it's important to note that the organization doesn't actually sell or directly profit from the development of web applications. 

The Information Security Manager wants to implement an application security testing technology.

Naturally, as I've already said, it's critical to ask why? but it's important to keep asking why until a concrete answer is obtained.

ISM: "We need to implement an application security testing technology"

You: Why?

ISM: "We need to be testing our application code"

You: Why?

ISM: "We need to be compliant with X regulation"

You: Why?

ISM: "If we're not compliant we can't process credit cards, thus making money"

More than anything else, that last answer is what you need to get you started.  At least now you have some business goal to move you forward. 

If you kept digging into this you may find out that there is a specific amount of money that the site or application makes for the company per day or minute. 

You may be able to find out the value of that application in terms of downtime, or the value of that customer database ... and now have a financial basis for pushing your agenda.

The point is, if you don't keep asking why beyond the initial superficial reason you get, you won't have a valid business reason for doing what you want to do. 

Sometimes, the effort doesn't have a valid business reason - and then you already know what the result will be.

Start asking why because you need to know.   Its the most important question you'll ever ask.

Cross Posted from infosecIsland.com

Comment on this article

Only registered users can write comments.
Please login or register.