While There are Exceptions, Most Business Executives View Security as a Necessary Evil...
I have met a number of highly qualified, talented security professionals over the course of my career. I have also had the good fortune to witness some of those people accomplish a variety of amazing things within the information security space. So it may come as a bit of a surprise that when people demonstrate or present their work to me, I often ask them, “so what”? Allow me to explain.
As information security professionals, it is tempting to become enamored with the beauty or elegance of a technical solution, analytical technique, or investigative outcome. But we must remember that we live in a business world. It may be somewhat hard to believe, but to most of the world, security is essentially a black box. Stuff goes into the black box and other stuff comes out. What happens in between is often regarded as a bit of an enigma. While that may a bit of an overstatement, it is certainly true that security as a profession or business function is not particularly well understood by outsiders.
This is all the more true in an enterprise setting. In an enterprise setting, security is viewed as an investment, or perhaps more accurately, as an expense. Executives invest a certain amount of money in security to manage and mitigate risks to the business. This is an important point to understand – while there are exceptions, most business executives view security as a necessary evil. The cost of a security program is certainly non-trivial. But the cost of not having a security program or of having an inadequate or immature security program can be far higher. That cost is typically measured in financial, legal, or public relations (PR) damage to the organization, its reputation, or its brand.
It is within this context that the “so what factor” becomes so important. Let’s take the case of building a successful security operations function as a working example. Say we go before our executives to request budget to build or enhance our security operations function. To a security professional, the need to perform the following (high level) steps may be clear:
• Establish a clear vision for the security operations function
• Assess the risks and threats to the business
• Develop goals and priorities for the security program based on those risks and threats
• Hire and retain the right people
• Develop and continually improve a mature security process at both strategic and tactical levels
• Identify gaps in visibility and implement technology to address those gaps
• Develop alerting content based on risks, threats, goals, and priorities
• Established a unified work queue populated with high fidelity alerts, creating a high signal-to-noise ratio
• Ensure a smooth operational process with adequately trained staff
• Establish required communication channels with key incident response stakeholders
• Integrate actionable intelligence
• Build information sharing relationships
But if we present our case in this manner to someone who is not a security professional, we will likely receive the response: so what? What that response tells us is that there is a misalignment of what we see value in and what our audience sees value in. But why does this disconnect between the security professional and the business executive exist? Well, for starters, in technical fields, our plans are generally laid out to address logical or functional issues. To us, this is a sensible way to go about things – for every operational itch, I need a way to scratch it.
What we have to remember is that non-technical people see the world differently. They view security as a budgetary expenditure that is somewhat of a mystery, and we must tie our budgetary requests and our strategic plans to business use cases that resonate with our audience. This is not an easy task for a security professional – it requires looking at the world in a way that is not entirely natural for most of us. But, if we do it properly, we have the potential to communicate our goals, strategies, and plans to an entirely new audience that can provide us the budget to achieve them. That has the potential to bring a tremendous amount of good to the organizations we dedicate ourselves to.
Let’s revisit the case of building or enhancing our security operations function, but this time, let’s formulate our argument based on points that resonate with our business audience. This will vary depending on our specific business model of course, but let’s give a few illustrative examples of points that address issues that may be on the mind of business executives. This time, we take the angle “we need to build (or enhance) our security operations function in order to”:
• Prevent theft of payment card data
• Identify compromise and fraud of critical assets (e.g., money movement servers)
• Detect and respond to breaches and theft of sensitive, proprietary, and confidential data before they cause financial, legal, and public relations damage to the organization
• Gain client and partner trust and confidence through a mature security program
At first glance, it may seem like we are leaving out a lot of important information, perhaps most importantly “how” we will accomplish these things. But that is the point – information that is not necessarily going to be absorbed and internalized by our audience or that resonates with them is essentially superfluous to the discussion.
Of course, we should always have our full plan ready, at various levels of detail, in the event that we are asked for it. As technical people, it is our natural tendency to want to include every relevant piece of information. But to non-technical people, what’s relevant to the discussion is drastically different. This is an important point, but one that is quite difficult for security professionals to internalize – it’s simply not a natural way of thinking for most of us.
I hear a lot of security professionals beating the “people aren’t listening to what we are saying” drum, but how many of us have taken a step back to think about whether or not we are delivering the message incorrectly? It all goes back to mapping security issues to business use cases.
If we are successful in our communication efforts and we obtain the budgetary resources we are after, our executives will soon want to measure the effectiveness of their investment. We should be sure to use meaningful metrics relevant to the risk and threats faced by the business to evaluate ourselves, rather than meaningless metrics. This is a very important topic, and one that I intend to address in a future column. Until then, think about the very important role we all have as the messenger.