AMP re-thinks secure development
Australian financial services giant AMP has re-thought the way its information technology security team relates to the rest of the business as a result of the industry's increasing reliance on Web applications to deliver services.
Security experts have warned that the proliferation of Web applications has led to organisations and their customers facing unnecessary risk of data theft or hacking occurring because security had not been factored into development stages.
"We found that project managers would come to us on Friday afternoon, prior to something going live on the weekend, and say, 'John, can we have an exemption?'," AMP's IT security and risk manager John O'Driscoll told the ISACA security conference in Sydney today.
"It's important they understand the process, but why does it happen on Friday afternoon and why have we designed something that has flaws in it?" the executive added.
According to O'Driscoll, security had previously been tacked on to the end of the product development life cycle, and had not been built into processes at the outset. "So we really tried to push our involvement early on in the life cycle," he said.
"We wanted to help project managers design good and secure applications that didn't have to go through that last minute experience."
However, O'Driscoll admitted many of the challenges had stemmed from business units not having a clear understanding of what the security team did. "Even within the [security] team it had different views of what it does," he said.
Beyond writing security policies, AMP's IT security team has also provided interpretation of security policies to project and business managers, and handled special requests for access to IT systems.
But ultimately, building security into the development cycle was made possible by allocating risk to the business managers responsible for a project.
"Instead of being security guys at the end that accept this risk, we thought, no we're there to provide advice and guidance and said to the business owners, it's your risk," said O'Driscoll. "Once you put risk back on the business owner, they view it much more differently."