IME many security people are already on call. What you’re describing is one of the roles of Security Operations Centers, unless I’m misunderstanding what you’re suggesting (which I think might be the case!)
You can’t rely on that as a fix though, because it’s inherently reactive, when what you really want is proactive protections. By the time you get paged about a breach, it’s already too late.
I see! I think it’s a good idea, and I personally think that would be a good and overall positive role!
However in my experience in a big org, #1 happens frequently enough where it basically would be needed at all times, and would need a security person (or entire team) dedicated solely to that purpose. And sadly in my experience, companies are not willing to spend the money, or able to hire enough security people, to have that level of a dedicated security concierge for every team that needs it.
Maybe real security people training the most security-aware person on a given marketing/dev team, and giving them some level of authority? If orgs won't/can't hire enough infosec folks, maybe some of the basic knowledge needs to be spread to other roles?
I may be grasping at straws here. It just feels ridiculous that my national security is being risked by these obviously super-dumb moves made by trillion dollar corporations.
You're describing what's popularly known as a "security champion" program. The problem is you're giving a little bit of training and authority to someone who is primarily accountable for marketing/dev/whatever. At best, this sets up a conflict of interest that the person will occasionally navigate successfully. At worst, they now know enough to be even more dangerous.
The problem isn't just knowledge. The problem is getting people to use that knowledge to push back on bad ideas.
Thanks. I'm filing that phrase away for future reference. Again, I am just stabbing in the dark from the outside here:
From my external POV, it feels like for all its faults, Google/Alphabet took the time to create BeyondCorp, and does not have the same record of infosec errors that Microsoft seems to regularly display in recent times.
Is that correct? If so, in your opinion, what is the difference? They both print money...
Is this just a difference in "corporate culture?"
Disclaimer: I grew up in Kirkland/Redmond, have a bias that is favorable towards MS, and would love to understand what the heck is happening.
Google/Alphabet is willing to mandate - and then enforce - sweeping changes. When they shifted to U2F and forced everyone to use it, phishing all but vanished as an ongoing problem. I don't know if Microsoft is capable of that, technologically or culturally.
You can’t rely on that as a fix though, because it’s inherently reactive, when what you really want is proactive protections. By the time you get paged about a breach, it’s already too late.