Saturday, January 25, 2014

Red Sky Weekly (1/25/14): Security is not the point.

I'd like to take a moment and introduce the latest  addition to the Red Sky Alliance team. Steve Hunt joined us last week as our new Director of Community Engagement. Steve is one week into this new world of cyber spies, APT, and organized crime.  I thought you might enjoy his fresh perspective as he jumps in feet first. 



Security is not the point

Hi everyone.  This is my first blog as a Red Sky’er.  I’m starting to make the rounds, meeting my teammates and you, our members and prospective members.   Together we’ve had lots of interesting conversations, some of which surprised me.

For example, I heard one member describe his job as managing threats when his boss corrected him saying no, his job was to secure the business.  That got me thinking.

It’s an uphill battle to convince the decision-makers in any business that they need to invest in security.  Why? Because deep down, all professional businesspeople think security is an annoying layer of cost and inconvenience. If you walk in and tell them, “We need more security,” they hear, “We need more annoying layers of cost and inconvenience.”

Getting the buy-in for security products and services today means understanding what drives your company’s security purchase decisions—basically, what is going on in the mind of your bosses.  Fear, uncertainty and doubt are not the cleverest tools to use anymore.  Now businesses want something that sometimes seems like a foreign concept to the security profession: value.  If we security professionals don’t adapt and start answering the questions our business is really interested in, if we don’t stop talking about threats and instead talk about creating value for the business, we’ll never get the green light on new projects and improvements.

Remember, nobody wants security; they want the benefits of security.  That means that the housewife doesn’t want the finest deadbolt on the front door because of the excellence of its engineering or its impact resistance.  She wants a comfortable, happy place to raise her family. Businesses also want something other than security.  If a bank manager has a mandate to reduce expenses related to bank tellers, she has a couple of options.  She could fire all the tellers and lock up all the bank branches, but then the bank would have no interface with its customers.  Or she could take all the money, put it in piles on the street corner under a clipboard that says, “Take what you want, but write it down so we can balance your account.” That wouldn’t work either, obviously. The best solution for reducing teller expenses is to take the money, put in on the street corner locked in a box with a computer attached, and give customers a plastic card for authentication and auditing….

Security was never the point.  The bank had a business objective and achieved it by using some security.  That is how we all should think of security: as a way of helping our companies achieve the goals or value they seek.  Business managers, especially executives at the highest levels of an organization, have a very simple view of security: It is a tool in the corporate toolbox for enabling business.

It’s not our job to secure the network. It’s our job to secure the business.