Saturday, January 25, 2014

Red Sky Weekly (1/25/14): Security is not the point.

I'd like to take a moment and introduce the latest  addition to the Red Sky Alliance team. Steve Hunt joined us last week as our new Director of Community Engagement. Steve is one week into this new world of cyber spies, APT, and organized crime.  I thought you might enjoy his fresh perspective as he jumps in feet first. 

--Jeff

BT BT

Security is not the point

Hi everyone.  This is my first blog as a Red Sky’er.  I’m starting to make the rounds, meeting my teammates and you, our members and prospective members.   Together we’ve had lots of interesting conversations, some of which surprised me.

For example, I heard one member describe his job as managing threats when his boss corrected him saying no, his job was to secure the business.  That got me thinking.

It’s an uphill battle to convince the decision-makers in any business that they need to invest in security.  Why? Because deep down, all professional businesspeople think security is an annoying layer of cost and inconvenience. If you walk in and tell them, “We need more security,” they hear, “We need more annoying layers of cost and inconvenience.”

Getting the buy-in for security products and services today means understanding what drives your company’s security purchase decisions—basically, what is going on in the mind of your bosses.  Fear, uncertainty and doubt are not the cleverest tools to use anymore.  Now businesses want something that sometimes seems like a foreign concept to the security profession: value.  If we security professionals don’t adapt and start answering the questions our business is really interested in, if we don’t stop talking about threats and instead talk about creating value for the business, we’ll never get the green light on new projects and improvements.

Remember, nobody wants security; they want the benefits of security.  That means that the housewife doesn’t want the finest deadbolt on the front door because of the excellence of its engineering or its impact resistance.  She wants a comfortable, happy place to raise her family. Businesses also want something other than security.  If a bank manager has a mandate to reduce expenses related to bank tellers, she has a couple of options.  She could fire all the tellers and lock up all the bank branches, but then the bank would have no interface with its customers.  Or she could take all the money, put it in piles on the street corner under a clipboard that says, “Take what you want, but write it down so we can balance your account.” That wouldn’t work either, obviously. The best solution for reducing teller expenses is to take the money, put in on the street corner locked in a box with a computer attached, and give customers a plastic card for authentication and auditing….

Security was never the point.  The bank had a business objective and achieved it by using some security.  That is how we all should think of security: as a way of helping our companies achieve the goals or value they seek.  Business managers, especially executives at the highest levels of an organization, have a very simple view of security: It is a tool in the corporate toolbox for enabling business.

It’s not our job to secure the network. It’s our job to secure the business.

-Steve



3 comments:

dre said...

Managing threats is like herding cats. Securing the business, to me, means looking at the business processes for high-value output chains and mapping them to the weakest-link low-value input chains.

To integrate the two requires a deep understanding of the business processes first. However, the potential for quick wins in memory or network forensics, edge/partner/endpoint information sharing, and global threat intelligence must also be carefully calculated into the security equation.

CrimeDog said...

Your words brought back a number of war stories - most are even relevant.
Back in the Day, I was with AFOSI. I recall sitting in a meeting dealing with acquiring new computing hardware. The question of security eventually came up, and someone said, "Security is a pain in the ass".
Our Security Manager, much lower ranked, and looked to have been dozing through most of the meeting, said, "Excuse me, colonel. Security is SUPPOSED to be a pain in the ass."...and that was a pivotal point in that meeting.

I have also heard that getting 'buy in' with management is much like selling lightningrods - your sales pitch is mostly how bad it can be if you don't have any.
I have also heard that the only thing worse than being wrong about the need for security is being right.

Unknown said...

As a colleague once explained it to me, threats are relevant to security in a commercial context but they need to be conceived as threats to the profitability of the enterprise - anything that is believable by that definition is worth spending money or effort to address. In one setting the biggest threat could be credit card fraud, in another it could be terrorism.