I'd like to take a moment and introduce the latest addition to the Red Sky Alliance team. Steve Hunt joined us last week as our new Director of Community Engagement. Steve is one week into this new world of cyber spies, APT, and organized crime. I thought you might enjoy his fresh perspective as he jumps in feet first.
--Jeff
BT BT
BT BT
Security is not the point
Hi everyone. This is
my first blog as a Red Sky’er. I’m
starting to make the rounds, meeting my teammates and you, our members and
prospective members. Together we’ve had
lots of interesting conversations, some of which surprised me.
For example, I heard one member describe his job as managing
threats when his boss corrected him saying no, his job was to secure the
business. That got me thinking.
It’s an uphill battle to convince the decision-makers in any
business that they need to invest in security.
Why? Because deep down, all professional businesspeople think security
is an annoying layer of cost and inconvenience. If you walk in and tell them,
“We need more security,” they hear, “We need more annoying layers of cost and
inconvenience.”
Getting the buy-in for security products and services today
means understanding what drives your company’s security purchase
decisions—basically, what is going on in the mind of your bosses. Fear, uncertainty and doubt are not the
cleverest tools to use anymore. Now
businesses want something that sometimes seems like a foreign concept to the
security profession: value. If we
security professionals don’t adapt and start answering the questions our
business is really interested in, if we don’t stop talking about threats and
instead talk about creating value for the business, we’ll never get the green
light on new projects and improvements.
Remember, nobody wants security; they want the benefits of
security. That means that the housewife
doesn’t want the finest deadbolt on the front door because of the excellence of
its engineering or its impact resistance.
She wants a comfortable, happy place to raise her family. Businesses
also want something other than security.
If a bank manager has a mandate to reduce expenses related to bank
tellers, she has a couple of options.
She could fire all the tellers and lock up all the bank branches, but
then the bank would have no interface with its customers. Or she could take all the money, put it in
piles on the street corner under a clipboard that says, “Take what you want,
but write it down so we can balance your account.” That wouldn’t work either,
obviously. The best solution for reducing teller expenses is to take the money,
put in on the street corner locked in a box with a computer attached, and give
customers a plastic card for authentication and auditing….
Security was never the point. The bank had a business objective and
achieved it by using some security. That
is how we all should think of security: as a way of helping our companies
achieve the goals or value they seek.
Business managers, especially executives at the highest levels of an
organization, have a very simple view of security: It is a tool in the
corporate toolbox for enabling business.
It’s not our job to secure the network. It’s our job to
secure the business.
-Steve
3 comments:
Managing threats is like herding cats. Securing the business, to me, means looking at the business processes for high-value output chains and mapping them to the weakest-link low-value input chains.
To integrate the two requires a deep understanding of the business processes first. However, the potential for quick wins in memory or network forensics, edge/partner/endpoint information sharing, and global threat intelligence must also be carefully calculated into the security equation.
Your words brought back a number of war stories - most are even relevant.
Back in the Day, I was with AFOSI. I recall sitting in a meeting dealing with acquiring new computing hardware. The question of security eventually came up, and someone said, "Security is a pain in the ass".
Our Security Manager, much lower ranked, and looked to have been dozing through most of the meeting, said, "Excuse me, colonel. Security is SUPPOSED to be a pain in the ass."...and that was a pivotal point in that meeting.
I have also heard that getting 'buy in' with management is much like selling lightningrods - your sales pitch is mostly how bad it can be if you don't have any.
I have also heard that the only thing worse than being wrong about the need for security is being right.
As a colleague once explained it to me, threats are relevant to security in a commercial context but they need to be conceived as threats to the profitability of the enterprise - anything that is believable by that definition is worth spending money or effort to address. In one setting the biggest threat could be credit card fraud, in another it could be terrorism.
Post a Comment