To visualize the impact of this model, think of a neighborhood watch program for information security within a company. As with any new management style or technique, there are two primary camps that are beginning to huddle and plan the actions to build DROP adoption: those that openly adopt the notion and those that are quietly hoping it will go away. What camp should a security professional join?
DROP security can solve many problems with security accountability. In today's business world there are many facets to security that have emerged. In a successful world of distributing security throughout the organization, each person is responsible and accountable for security.
However, we now have security decisions being made by the ones that rarely listened to the security awareness training. If services go down, which way will support respond?
Instead of distributing responsibility, how about changing it to DRIP (designing responsibility in protection). DRIP would focus on the design process of any initiative and build the right level of security during the early stages. We could save a lot of money and time by baking security into the process early and building a trusted component base. In the end, we might find that engineering from the bottom up leads us closer to higher security and costs less. So the next time management wants you to drop security, ask them if you can drip it instead.
- Richard Lawhorn is CISO of a company which wishes to remain anonymous.