Us and them development
Posted by Ian S. Nelson Fri, 14 Mar 2008 16:57:00 GMT
This actually relates to security. It's round about but it'll tie together.I was speaking with a college buddy the other day, a guy I respect the hell out of who happens to be an extremely senior engineer and now a fairly wealthy man due to applying that skill in some successful companies. I can't remember the exact thing I said but I was chatting about work, sort of complaining or venting and he called me out for speaking negatively about my current company's QA. I was basically saying that they don't seem to try very hard and he pretty much asked me why they ever would if you treated them like inferiors?
I was a little taken back, I don't think I treat them that way, it's not a conscious thing but clearly there is a caste. I haven't had that many jobs but the 2 places where test was treated as equals and with the same respect as development they also had the same level of responsibility and we ultimately had much much better testing. It works better when everyone takes ownership of the whole product and it generally doesn't work that well when people try to just slice off little pieces and ignore the rest. Everywhere else, most other places, QA were second class citizens, it seems like a normal sort of way of operating. People can rise to the level of expectation, if that level is too low then that's what you'll get.
So how does this affect security? Network ops and marketing usually have very different missions. In the last 10 years, businesses have added security groups and security officers to “add security” to the business, and to basically fill in a hole that nobody else owned. It doesn't work very well. A CSO should be more like an ombudsman. If it's not everybody's responsibility and everybody's job then it simply won't work, there are no tools you can simply buy that will make your business “secure.”
