I'd like to take a moment and introduce the latest addition to the Red Sky Alliance team. Steve Hunt joined us last week as our new Director of Community Engagement. Steve is one week into this new world of cyber spies, APT, and organized crime. I thought you might enjoy his fresh perspective as he jumps in feet first.
--Jeff
BT BT
BT BT
Security is not the point
Hi everyone. This is
my first blog as a Red Sky’er. I’m
starting to make the rounds, meeting my teammates and you, our members and
prospective members. Together we’ve had
lots of interesting conversations, some of which surprised me.
For example, I heard one member describe his job as managing
threats when his boss corrected him saying no, his job was to secure the
business. That got me thinking.
It’s an uphill battle to convince the decision-makers in any
business that they need to invest in security.
Why? Because deep down, all professional businesspeople think security
is an annoying layer of cost and inconvenience. If you walk in and tell them,
“We need more security,” they hear, “We need more annoying layers of cost and
inconvenience.”
Getting the buy-in for security products and services today
means understanding what drives your company’s security purchase
decisions—basically, what is going on in the mind of your bosses. Fear, uncertainty and doubt are not the
cleverest tools to use anymore. Now
businesses want something that sometimes seems like a foreign concept to the
security profession: value. If we
security professionals don’t adapt and start answering the questions our
business is really interested in, if we don’t stop talking about threats and
instead talk about creating value for the business, we’ll never get the green
light on new projects and improvements.
Remember, nobody wants security; they want the benefits of
security. That means that the housewife
doesn’t want the finest deadbolt on the front door because of the excellence of
its engineering or its impact resistance.
She wants a comfortable, happy place to raise her family. Businesses
also want something other than security.
If a bank manager has a mandate to reduce expenses related to bank
tellers, she has a couple of options.
She could fire all the tellers and lock up all the bank branches, but
then the bank would have no interface with its customers. Or she could take all the money, put it in
piles on the street corner under a clipboard that says, “Take what you want,
but write it down so we can balance your account.” That wouldn’t work either,
obviously. The best solution for reducing teller expenses is to take the money,
put in on the street corner locked in a box with a computer attached, and give
customers a plastic card for authentication and auditing….
Security was never the point. The bank had a business objective and
achieved it by using some security. That
is how we all should think of security: as a way of helping our companies
achieve the goals or value they seek.
Business managers, especially executives at the highest levels of an
organization, have a very simple view of security: It is a tool in the
corporate toolbox for enabling business.
It’s not our job to secure the network. It’s our job to
secure the business.
-Steve
