Kate, is kind of an interesting person, which we can go into later, but the germane thing is she is in Infosec or Cyber-Security or whatever you want to call it, and the company she works for is, well we'll justsay their program is not mature.
That lack of maturity is kind of the point of this post.
As Kate tells it her department is charged with doing assessments on new devices and applications being added to the network and is supposed to be involved in insuring that application updates are secure. Apparently there are recurring issues with getting security included in project meetings and discussions - supposedly the SDLC requires that IT utilize the secure coding standard, do data classification etc. But the SDLC is an IT policy and the others are cyber security policies. Security falls under IT but the policies aren't signed by the director of IT. Each underling signs his own.
According to Kate she has suggested a number of times that the policies be aligned, and been told no. At one point she was told, "We only care about cyber-security policies", so yesterday she finally pulls the SDLC and compares what is in it with what everyone believes is in it. Guess what? The SDLC doesn't say squat about security other than requiring proof of Separation of Environments and Separation of Duties.
Ooooooops. Guess, they aren't required to get any security input at all.
Kate, writes this up send up up to the senior analysts and the manager and is now waiting for some sort of response.
I thought this was funny because it echos a lot of what I think is fucked about cyber-security. The siloing of everything, concentrating on process rather than on actually securing the data / systems, and an us vs. them menatlity with IT. This is why shit is so fucked. Comparing the SDLC and the cybersecurity policies probably took Kate no more that 10 minutes and it is a major hole, that from the way it sounds no one will patch voluntarily. So welcome to the world of the breached.