The Security Officer I met recently told me in his “old age” he now knew that the key to security in an organization was Evolution. Engage evolution.
But what does evolution mean for us InfoSec professionals? Well, I’m going to be bold and propose a check list – a sort of evolutionary progress list. Each step in this list must be preceded by the previous step, so no rushing forward or skipping a step because “Its not convenient”. Each step must be maintained, so you can’t back-slide or forget about something because its no longer needed. Each step is part of the foundation, and builds the mountain higher.
Here they are:
- Know your company – its goals, operations, plans, initiatives
- Know what keeps everyone in your company up at night
- Understand what things are relevant to each group in your company
- Accept the businesses perception of the world
- Put your thoughts of how security helps the company in plain, 6th grade English.
- Interject some of your ideas on risks, making sure they overlap with the things the business worries about
- Ask for acknowledgment of your concerns as you acknowledge the concerns of the rest of the company
You are probably looking at this list and saying, “Okay, you are crazy. Where are firewalls, where are Risk Assessments, where are vulnerability scans, ISMS, ISO 27001, OCTAVE, DLP….(insert your favorite security subject here)…”
My answer is, “Precisely”. Security should not be the focus of the evolution. HUH!?!?! Yes, get off of your technology, off of your Fear-Uncertainty-Doubt, and off of your idea that security is what keeps the company going.
First, know that security is a process inside another process – an operational process, which is inside a bigger process – the business. Trying to make security a macro-process that drives the organization puts the cart before the horse, and a type of thinking that we as InfoSec professionals perpetuate to our own detriment. Security is not the core of the business. Security is not the part of the business that directly provides revenue. (Think, does your security group provide a revenue stream for the business? Security product vendors, consultants and MSSP’s – think of your operational CSO vs. the products and services being delivered to customers.) Delivering products and services for a “fee” is the core of the business. A business is made up of many parts, and each one contributes to the business – marketing, finance, shipping, sales, manufacturing, product design. Without one the others can fall apart, but one alone cannot drive all the others. Each has their role, their tasks, and their objectives. Each one needs to understand their role to play, and how they fit into the larger picture. Once we as InfoSec professionals acknowledge that we are one piece of the overall plan, we can start making real progress.
Second, If we do not know what the business wants to do we can’t know what we need to protect or how to provide security that promotes the goals of the business. If we cannot provide security, the added value of security in the company’s goods and services cannot be delivered. But does that necessarily stop the company from operating? Given that so many companies lack good security, it clearly is not the case. Companies with bad security thrive, and sometimes the level that the thrive at greatly exceeds the break-ins, breaches, and thefts that occur. If this is the case, no one seems to care. When you have a box of one thousand pennies and you drop a few, do you care? Some people’s pennies have a little more shine to them, but the psychology is the same.
Third, the scope of security is not just IT. I will use one point in ISO 27001 as a jumping off point. According to the standard, the first steps of building an Information Security Management System (ISMS) is to define the scope of the ISMS. How would you define this scope? A network security person, if asked to define the scope will define this by the boundaries of the network. An IT security person if asked will define this as the computers, applications, databases, networks and devices being used. A CEO, if asked this question, would define the scope as the entire business. That is of course if you ask him the right question; “When you think about risks, what is the scope things that you would consider?”
Fourth, consider how the costs of your initiatives affect the overall goals of the company. Your new application firewall or the work around a new compliance requirement might take away money needed for payroll, or for the new product line that the company desperately needs to put out to keep up with the competition who seems to be pulling away. A new requirement you want for websites might result in a reduced customer experience because it takes them four more steps to complete a purchase and they decide to go somewhere else that has figured out an easier way to do it, or will do it in an insecure way.
Now hopefully those seven steps seem a little bit more relevant. More relevant because those seven steps help you look at the entire business and realize Information Security has a key role to play, but only if it is playing in the business.
Align yourself with the objectives and goals of the business. This will help you focus your efforts on things the business will appreciate, and can contribute to revenue recognition.
Know what risks everyone thinks about because some of them may surprise you. Not everyone thinks security is limited to IT. Some people are aware of industrial espionage, social engineering, physical security risks and fraud.
Think how security can contribute to the quality of the delivery of products and services. Security can increase the effectiveness, and sometimes the efficiency of the delivery of the products or services.
Understanding the business, its goals, the perceptions of customers and the real effect of security on the business, operations, sales and revenue recognition is the key to moving security forward. Make security something the CEO can wrap into his business plans, and he listens to you like a trusted adviser because you know and listen to him.