When reviewing a company’s organizational structure, I saw no specific Information Security position. Perhaps the tasks are performed under a different title.
Perhaps this is progressive. Perhaps this is the future.
That is not to say that those organizations which have Information Security positions are irresponsible. An emphasis on Information Security is like focusing on Equal Employment Opportunities (EEO). To compensate for a pattern of abuse, you add focus that ensures the abuse does not continue. You mainstream a process and pattern which eliminates irrelevant considerations from the hiring and promotion processes. Similarly, to compensate for a history of computing which assumed trust, which assumed that all persons accessing a computing environment were attempting to use it as intended, you add focus that ensures abuse does not continue. You add measures which enforce reliability and trust.
The future, the horizon, the dream is the implementation of an architecture that ensures reliability and trust. You should work to create that future; an Information Security professional should work to eliminate their job.
At one time, structured design, structured development and structured testing were the signs of a mature development team. This gave way to prototyping and rapid development methodologies. The question of whether software “works” became ambiguous. If it passed user acceptance testing, it worked. Bugs could be discovered and addressed later.
The penalty for this development methodology is that the bugs may be found by untrustworthy persons. Relying upon maintenance to address errors introduced in development is an expensive approach, whose time line and resources are largely unpredictable. There are extrapolations which can predict costs for maintenance, but cannot predict the specific month those resources will be required.
An unintended side-effect of this development methodology is the growth of a “Security” industry. This does not explain all security issues. It would still be possible to mis-configure devices, use weak passwords, and install software that you should not trust. These are identifiable and addressable concerns. The unidentified concerns give rise to a need for “layered” security; a series of partially effective measures in hopes that at least one will provide value.
That’s the current situation. That’s why there’s a proliferation of “security” experts. That does not mean we should accept this situation. It takes combined efforts to move toward a structured design, development and test model.
Organizations continue to invest in traditional, layered security infrastructure — firewalls, intrusion detection systems (IDSs), network behavior anomaly detection (NBAD) solutions, and security information and event manager (SIEM) technology. See Narus‘ approach with nSystem cyber security technology.
Regarding acceptance testing: test for what the software should do AND test for what the software should NOT do. That is, test for vulnerabilities. Don’t put your enterprise at risk from inadequate testing.