Security's Everyman

Security's Everyman

Wednesday, May 30, 2007

Selling Security, It's our job

It's good to hear someone else from time to time get on the same rant as me. I'm talking about my regular "We need to quit bashing users" routine. Pete Lindstrom rants about how we need to pay closer attention to the business needs and not whine and cry about how Management doesn't understand or care about us. Now Pete is talking specifically about a podcast that Marcus Ranum did where apparently Marcus does just that. I have not listened to the podcast and so I can't comment on the specifics, but suffice it to say that whether or not Marcus did "whine" or not isn't the point. The point is that often Management does NOT get security (or IT at all) but it's not their job to get us. It's our job to explain ourselves and why we are important. They are business people and we need to sell them on the business of security. I don't mean try to scare them with FUD, compliance or horror stories. I mean we have to present a business case to them for security. Why is it important and what kink of ROI can be gained from it. How we can implement it without making the users life miserable. How it can make the company money. That's what they care about. Management is about the business being successful. If we can convince them that a secure business is a successful business then we have done our job (or an important part of it).

Now, before I start getting comments and emails about how most security professionals aren't business people. How they need to stay focused on technology in order to be good at what they do. I know that and I'm not suggesting that we should all make a run for the board room, but as an industry we have to take the steps to prove our worth and value. Many companies implement security just to get the auditors and compliance people off their backs. They hate security and think it is a waste of time, money and resources. We can continue to wallow in the basements of industry or we can take it upon ourselves to change the attitude of not only the "stupid user" that we all so often complain about, but also the "Clueless C's" that often complain about us. Management isn't going to come to us until they see a clear benefit to the company. We have to provide that clarity of vision.


LonerVamp said...

By and large I agree, but just to strike convo, here are some thoughts.

a) Management maybe shouldn't have us waving FUD around and horror stories, but that's what they wave to themselves. My mgmt right now is really on board with the idea of laptop encryption, not because of any real investigation, but because of the news media. I'm all for that, personally, as we make sure they know what they're getting. It might be the high road for infosec guys who talk to mgmt to say they're above that stuff, but...that's life and that's how we humans react and view risk.

b) Security may never be a clear vision to mgmt beyond compliance, negligence, and regulations. If there is no benefit to the company other than as an insurance role, there is really not much hope beyond a CYA approach. Besides, it is the nature of security to exist only when there is something to be combatted against. The war on terror wouldn't exist of terror were defeated or non-existent. This means our battle tends to drop down into insurance much do we *have* to do to get by before we don't get returns (either tangible like failed compliance and negligence damages, or intangible like the feel-goods our customers get about our security). How many managers believe that those physical security guards are really part of the company bottomline or part of the competitive edge or part of the product value? Just enough so they're not a hurt on the budgets...

I really think we'll always be "waah mgmt" in our security roles. That's just the way it is unless we're a 100% security company anyway. I think we need to recognize that will occur and accept it and not let it get to our heads (either in arrogence or in getting us so distracted and depressed). If we got everything we wanted, even those infosecs who are aligning with business, we'd likely be thinking "uhh, wow, talk about overkill..."

I would even go out on a limb to say security in a silo DOES still work. It's just the security SPENDING in a silo isn't working anymore.

I really should put this on my own blog, but I'm tired. Maybe tomorrow. :)

Just thoughts, some of which I could back off readily, others not so much so. :)

LonerVamp said...

Yay no more comments yet! Not 5 minutes after heading to bed right after my post, I argued myself away from saying that security/silo/spending bit. I might save that thought for my own blog post, but for now, I'm certainly shelving it. :)

Rob Lewis said...

An additional problem may be that corporations and management may underestimate the value of their data, and that may be an underlying variable on willingness to commit to security investments.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.