Show Notes: https://justinfimlaid.com/not-invented-here-syndrome-for-security
Contact Me: https://justinfimlaid.com/contact-me/
you ever had an idea to advance your company or another companies security
posture? And it's a really good
idea. Like really good. You do you your homework and dot the
“I's” and cross the “T's” and your propose a superior
solution that sets your organization up for, what you think, is long term
success? When you propose your idea,
someone passionately proposes an alternative weaker solution. Or worse, people take shots at your idea
trying to make it look like swiss cheese for the apparent purpose of making an
alternate idea better?
yes, you might have seen and experienced the “Not Invented Here
One of the more concise definitions of Not Invented Here Syndrome (NIHS) I've heard come from Techopedia:
“Not invented here syndrome is a mindset or corporate culture that favors internally-developed products over externally-developed products, even when the external solution is superior.
frequently used in the context of software development, where a programmer will
overlook all the attributes of an existing solution simply
because it wasn't produced in-house.”
to NIHS is the micro variation comes when the security department or CISO is
accountable for security but doesn't have responsibility for security. So if you are security professional
recommending products/solutions that are always “shot down” by those
with budget authority there could be a few reasons and Not Invented Here might
be the cause. NIHS can take a couple
forms (this list adapted from Techopedia):
The other teams don't value the work of others. They have pride in a negative way.They don't understand or unwilling to try to understand the benefits and lack confidence.Fear that their previous ideas aren't valued.Territorial battles, e.g. internal “turf wars”.Fear of having to learn something new.Wanting to control the process. Would rather “reinvent the wheel” to maintain control.Jealousy that they didn't think of the idea first.Belief that they can do a better job.The other teams don't value the work of others and believe they can do better. They have pride in a positive way.
always the counter argument that the Security team always makes sub-tier
recommendations and IT rather keeps the proverbial security train on the
NIHS is a real thing and can really be barrier to completing an annual
plan. For organizations that don't
foster innovation NIHS can really be present in the way the company operates
day to day. There's some great articles
on Not Invented Here and how some of the worlds longest standing companies
foster innovation and work with external ideas to make their business grow.
Some interesting links you might check out…