A peer recently pointed me to a discussion about information security as a “business enabler.” Daniel Miessler argued that:
‘Security isn’t an “enabler”; that line can hurt us. Security is about NOT doing things wrong, as part of overall quality.’and later in his essay that
“In a CEO’s big picture, there’s no difference between a web application firewall and a fire alarm and sprinkler system. Ultimately they both reduce to one thing: an operating expense.”There followed a number of thoughtful comments, and dialog.
The same day, Jeremiah Grossman [WhiteHat Security] wrote an essay about selling application security. He offered that application security should enable:
“solutions to be implemented in the time and place that maximizes return, demonstrates success, and by extension justifies the investment to the business in the language they understand.”He linked to a number of other’s writing about the topic and argued that one of the critical goals must be to help CIOs and CSOs “understand the relevant issues.” He appears to have worked with the Web Application Security Consortium (WASC) and The SANS Institute to initiate a joint open community project to build out a “risk-based enterprise website security strategy.” Mr. Grossman’s essay was followed by more thoughtful commenting and discussion.
After reading a number of the links and thinking about these two threads, I think that both have value. Any rant about sales “lines” that get repeated without a thought is a good thing in-and-of-itself. I think that both writers express frustration at the difficulty of motivating senior corporate leaders to part with their money for “security-related” investments. That is understandable. “Investment” funding is difficult for everyone today. I am working in financial services — where trillions of dollars of assets that we depended upon have simply disappeared. Money is very tight here. I understand why product and services vendors have been increasingly manic, frantic, and sometimes even bullying in the messages they email and leave on my phone.
So, what do I have to offer?
As a bumper sticker, “security as a business enabler” is just more vacuous blather. But if it is used as part of a more serious attempt to get at the problems of taking business-appropriate risks, or performing risk-appropriate business, then work like that proposed for “risk-based enterprise website security strategy” might be useful. I believe that the most effective information and technology operations risk management decision-making today happens because of the joint efforts of serious information security professionals and leaders (formal and informal) across the various organizations that make up modern corporations in most fields today. Depending on the given corporate culture, this is less or more process-driven.
- Sometimes it is strictly a matter of personal relationships (a risk-elevating situation).
- In other situations, project processes link these communities for long enough to work out understandings and plans that can facilitate effectively dealing with risks.
- Some organizations have broad and deep formalization of their organizational relationships, and the processes and information flows to maintain a shared understanding of threats, risks, controls & mitigations, current state, etc.
I believe that the first two situations above dominate, and that the third is an exception. As a result, what ever we do to support creation of a “risk-based enterprise website security strategy” or to find a new broad description of what information security is valuable, it needs to be useful in those organizations that depend heavily on cross-domain relationships between serious professionals to prioritize risk management investments. This is not meant to imply that information and application security specialists are not valuable. They are critical to the success of most organizations. I am responding to the focus on “selling.” Successful sales will require connecting with and delivering an effective message to those who can pay, or can materially influence those who can pay. My experience has been that this is an increasingly-small population.
For a number of years, I was intermittently called upon to assist a large corporate merger & acquisition team. We would review the target infrastructure, its operations, and the staff in the context of that target requiring quick and efficient on-boarding. There appeared to be a pattern, where the “best” IT, information security, and risk management teams were most tightly integrated into the broader corporate business operations. They viewed themselves as an integral member of the team — the only team, the one that served customers, partners, and investors. Sure, that is difficult in large, diversified corporations. It just didn’t stop some individuals, orother groups of IT and security professionals. A couple years ago, Gunnar Peterson wrote that
“The role of the security architecture is not to steer the business away from risk, but rather to educate their business partners about the risks they are taking and provide countermeasures that enable the business to take as much risk as suits their goals.”This seems like a good description of a small slice of what I saw at those few M&A targets where there was a minimum of cultural separation between executive management, marketing, sales, product development, logistics, support, security, and the IT organization’s technical specialists who kept the “plumbing” humming so that it all worked. All this is not to imply that everybody needed to know everything. Decision-makers of all kinds understood that they needed a threshold understanding of short and long term goals along many of the specialty-dimensions that were required to operate in their field.
None of that excluded the kind of data-rich analytical work proposed recently by Ron Charette. His notion of collecting specific buckets of “strongly-typed” information about application security to support analysis and reporting — essential for making informed decisions, makes a lot of sense.
It seems, though, that in many corporate environments, it requires data, along with individuals having a critical mass of professional risk management experience and what I will abbreviate as “adult business behaviors,” to effectively join teams of leaders (at all levels) to deal with risk in a manner that expresses a time-product-and-location-bound risk tolerances. That professional and “adult” combination is still a barrier for too many, and no new strategy will break through that barrier.
There is little, and shrinking room for techno-centric (“geek”) information security pros in the business communities where serious information or technology infrastructure operations risk decision-making takes place. Similarly, there appears to be dwindling room for experience-light or even experience-free “professional leaders.” Some career security team members engage all their work-life energy in the details, technologies, and operations of what is a modern information security organization, and then attempt to apply what they know to the various projects that come their way. They serve a valuable purpose, but they require constant management attention. They will tend to be of little assistance when we need to help translate pools of valuable data into a material resource for business decision-making, and even less when we have only a fine mist of information available.
A serious, expert, security professional is not only the holder of a credential. They need to have worked through at least a decade (see: “The Making of an Expert.” HBR 1 Jul 2007) of intense practice and dedicated coaching, constantly pushing themselves beyond their comfort zones to understand enough of the history, theory, craft, and rigorous intellectual practices that support risk management in a modern diversified corporate environment. A key component of that professionalization is learning how to share with and learn from leaders (formal and informal) throughout a business. In a highly dynamic business environment, they need to be able to synthesize new knowledge from their learning and experiences. Some are able to “simply” join that broader business environment. Others need to help construct more formalized processes, even new organizations to facilitate the level of cross-domain interaction required to effectively align risk decision-making and implementations with the other business dimensions essential for success in the marketplace. In either situation, this is what I meant by “adult business behaviors” above. Get a new model for “selling” information security as an enabler, or a new enterprise website security strategy into their hands, and I believe that you will begin to get traction.
— References —
The Problem With Selling Information Security as a “Business Enabler” By Daniel Miessler on March 26th, 2009: http://dmiessler.com/blog/the-problem-with-selling-information-security-as-a-business-enabler
“Website security needs a strategy.” By Jeremiah Grossman, Thursday, March 26, 2009: http://jeremiahgrossman.blogspot.com/2009/03/website-security-needs-strategy.html
“Security Architecture Blueprint.” By Gunnar Peterson: http://arctecgroup.net/pdf/ArctecSecurityArchitectureBlueprint.pdf and http://1raindrop.typepad.com/1_raindrop/2007/05/security_archit.html
“Proposal of Web Application Security Metric Framework to Compliance/Configuration Management Vendors.” By Ron Charette: http://roncharette.blogspot.com/2009/03/proposal-of-web-application-security_26.html
“The Making of an Expert.” HBR 1 Jul 2007, By K. Anders Ericsson, Michael J. Prietula, and Edward T. Cokely (requires login or purchase to access most of the article): http://hbr.harvardbusiness.org/2007/07/the-making-of-an-expert/ar/1
Completosec Channel 