People who are part of the Protect IT Group are typically information security and compliance professionals who are responsible to minimize business risk in IT systems. They establish and maintain policies, processes and procedures to help ensure application changes are secure and regularly evaluate IT systems to identify vulnerabilities.
Manage and minimize risks, protect our systems, data and business from cyber threats everywhere, inside and outside.
People, process, technologies are a constant balancing act. The goal is to have enough of each. You can't be 100% secure, but need to have a layered approach to security. While security does introduce friction, the goal is to enable the business.
Security Operations, Security Analyst, Application Security, Penetration Tester, others
Expected to protect everything, but rarely involved in projects early or often enough. Frequently blamed for project delays and rework. Often late in SDLC, an isolated team, not included in developing new requirements, testing etc. From an operational standpoint, signal fatigue is a real problem.
Because security is never 100%, ideally, we would have both proactive and reactive capabilities. For example, application security and shifting left would be proactive measures, along with secure SDLC training for developers. On the reactive side, we have security operations and red teaming capabilities that catch what wasn't discovered earlier in the process. All of these capabilities need to be driven and governed by policy and process, and adequate technologies need to be deployed to ensure success.