Whether staff, consultant or outsourced personnel, programmers have always been expected to have the capacity to work independently, a commitment to staying on top of the technology and to exhibit tolerance for ambiguity and uncertainty on the job. Now, on the front lines of our security efforts, programmers must also see beyond the code base---to understand the big picture of how their technology efforts supports the core business, so they can recognize and analyze conflicts between  security and business objectives, and communicate security risks and benefits to customers, vendors, outsourced peers and management.

In other words, the escalating priority of security is forcing a predominantly technology focused role into the world of analytics and soft skills. It is forcing programmers to become the conscience of their enterprise. They are expected to challenge business decisions that may expose corporations to security hazards, and to force tough trade-offs between needed business functionality and security--even though few programming professionals are schooled or skilled in risk analysis or communications.

The expansion of the role also flies in the face of their occupational history and their experience. Historically, programming is about automating manual tasks so business can deliver goods and services to market faster. To do so, programmers work hard to make products optimally efficient—easy and flexible to use, and fast at recovering in the event of a problem. Yet, it is exactly these characteristics that hackers use to commandeer systems and subvert them for their own use.
 
Whereas in the past a programmer was only concerned that a system recovers successfully, he now must make sure the system also fails securely, since it is during such failure events that normal system security controls can be unexpectedly disabled. Where in the past he’s been concerned the system does what is is supposed to do, he now needs to make sure the system does only what it is supposed to do, since making unnecessary functions available in a system increases the pallette of options available for malicious use.  Where in the past, programmers have provided technical information to the user on error dialogs to speed investigation and recovery, doing so could provide valuable information to a hacker trying footprint the system or network, so error messages must be carefully crafted to provide only as much information to the user as necessary. And while in the past, programmers have been concerned with making sure systems get all the network resources they need to function properly, they now need to make sure systems never exceed the range of resouces needed, since doing otherwise allows a hacker to  launch zombie and denial of service attacks from the system. These responsibilities effectively double or triple the workload of a programmer analyst, and those professionals savvy about security know this, and are working to improve not only their technology skills, but their risk analysis and communciations skills to deal with it.

Programmers that demonstrate full comprehension of these challenge to their changing role are best disposed to meeting contemporary buisness challenges. These professionals can articulate the new issues presented by their increased security responsibility, and strategize approaches that balance functional and security priorities. Any programmer that does not demonstrate awareness of these challenges and of the skills necessary to address them are more likely to be a liability rather than an asset to a future focused technology team.

 Finally, while among the elite technologists at their companies, security focused programmers will also understand that they are also technology users in their environments. Programmers that demonstrate ethical character and prudent sensibilities will not ignore corporate protocols, will not deviate from security policy or procedures in their own work, and will not hesitate to take appropriate action should they witness a security violation—whether within or outside their zone or responsibility. And they will be respectful of operations and support staff, understanding that cooperation of security efforts across technology groups is essential to optimal organizational security.

(c) 2005  Bar Biszick-Lockwood/QualityIT

More Roles & Responsibilities

Home