101 Refresher: Info Security Comes First

Around the turn of the latest century, when information security was beginning to get more attention in corporate and government IT shops, one of the first (and most basic) system development best practices proposed by almost every IT project management consultant was to design information security into a system upfront, not after it was tested. In 2001, the National Institute of Standards and Technology issued guidelines that said as much.

The reasons were simple: It's more expensive to include security after development, and, most important, security is typically not as effective if tacked on.

But as Government Executive's Bob Brewin reports, that's exactly what Boeing and the Homeland Security Department have done with its billion-dollar-plus Secure Border Initiative Network (SBInet) surveillance system. As Brewin reports, the Wi-Fi wireless SBInet pilot project Boeing is now testing in Arizona is vulnerable to cyberattacks. Boeing has issued a request for proposals to secure the wireless network, but as any IT manager would have told you six or more years ago, that's not an advisable management strategy if you want the system to be secure.

Why do IT project developers, even the best of them, still -- after six years -- fail to design information security into systems upfront?