Dear CSO: Turns Out, You Were Right

I’m sorry. I was wrong. This is an apology to every CSO in every bank I’ve ever worked with in every. Turns out, you were right.

It might have taken a while, but time has certainly shown you to be correct. I probably didn’t complain to you directly, but I certainly swore under my breath in many a meeting, or security review trying to get a risk system live.

It turns out you were right when you mandated that every package (regardless of package manager or programming language) could only be sourced from an internal repository and to get something new into that repository it first required a security review, For every version.

It turns out you were right to mandate encryption with keys that never leave the premises no matter how secure the cloud providers promised their encryption schemes are.

It turns out you were right to require every binary, shell script or archive be vetted before crossing the bank’s firewall. 

Even if all of these processes did nothing more than add a little friction and delay (though I expect they do more than that), right now they are paying dividends. I now find myself wondering how to implement many of these same ideas within HMx Labs. Perhaps with a little less friction and bureaucracy but even so.

So, I have my humble pie and will duly eat it. And promise to be more amenable in future! To all my friends and colleagues writing code in a bank, maybe it’s time to cut our CSOs a little slack and get with the program.

P.S: If you don’t know why I’m writing this now you might want to quickly go and Google for Copy Fail, Copy Fail2, Dirty Frag, Shai Hulud, Mini Shai Hulud and quite a few others.