Note: This page is part of the archive.

This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact if you have any questions about the US-CERT website archive.

Governance and Management

Updates to this material are, in part, either adapted or excerpted from Software Security Engineering: A Guide for Project Managers [Allen 2008].

Governance and management of security are most effective when they are systemic, woven into the culture and fabric of organizational behaviors and actions. In this regard, culture is defined as the predominating shared attitudes, values, goals, behaviors, and practices that characterize the functioning of a group or organization. Culture thereby creates and sustains connections among principles, policies, processes, products, people, and performance. Effective security should be thought of as an attribute or characteristic of an organization or a project. It becomes evident when everyone proactively carries out their roles and responsibilities, creating a culture of security that displaces ignorance and apathy. One manifestation of this is that everyone proactively considers the attacker perspective throughout the software development life cycle and how the software can fail when under intentional attack or unintentional actions of users or developers.

This means that security must come off the technical sidelines as activities and responsibilities solely relegated to software development and IT departments. Today, boards of directors, senior executives, and managers all must work to establish and reinforce a relentless drive toward effective enterprise, information, system, and software security. If the responsibility for these is assigned to roles that lack the authority, accountability, and resources to implement and enforce them, the desired level of security will not be articulated, achieved, or sustained. Contrary to the popular belief that security is a technical issue, even the best efforts to buy secure software and build security into developed software and operational systems encounter "considerable resistance because the problem is mostly organizational and cultural, not technical" [Steven 2006]. Software and information security are about spending money, with the measure of success being that nothing bad happens. As time goes on, this can become a tough sell to business leaders as the “we haven't been attacked lately so we can cut back on spending” mentality sets in.

Project managers need to elevate software security from a standalone technical concern to an enterprise issue when both developing and acquiring software. Because security is now a business problem, the organization must activate, coordinate, deploy, and direct many of its core resources and competencies to manage security risks in concert with the entity’s strategic goals, operational criteria, compliance requirements, and technical system architecture. Those responsible for ensuring secure software should have the responsibility and authority to stop the release of new software into production if security requirements are not met. To sustain enterprise security, the organization must move toward a security management process that is strategic, systematic, and repeatable, with efficient use of resources and effective, consistent achievement of goals [Caralli 2004b].

The objective of this content area is to help software developers and their managers, and security professionals and their managers: (1) more effectively engage their leaders and executives in security governance and management by understanding how to place information and software security in a business context and (2) better understand how to enhance current management practices to produce more secure software. Armed with this material, managers and developers can build attentive, security-conscious leaders who are in a better position to make well-informed security investment decisions. With this support, they can then take actionable steps to implement effective security governance and management practices across the software and system development life cycle.