Business Relevant Infosec - The Top and Bottom Lines

Sunday, July 24, 2011

Rafal Los


Business Relevant Information Security - The Top and Bottom Lines

Take off your "Security Hat" for a moment... and pretend you work as everyone else in your organization. 

I know, this isn't an easy ask, but just trust me on this a moment... something came up during our last #SecBiz call that I wanted to echo here.

When you're working for a business only 2 things matter... the top line and bottom line.  Translated into normal speak that means you need to contribute to the business in one of two ways:

  • help the business make money (adding to the top line)
  • help the business save money (managing the bottom line)

If you're not working to one of those two goals, you're wasting company resources.  Nothing revolutionary here, right?

Consider for a moment the security practitioner's mental process.

What we do...

As security people we want to protect, defend, and implement things that make the world safer from those evil hackers. Right? But why? What are we protecting... and against what? More importantly... why?

See, we've been talking about how to bring security and the business closer... but what we're realizing through some extremely well-done coaching is that the point isn't to bring them together because... well, they're the same thing. 

Security isn't somehow disconnected from the business... it's part of the business.  When we fail to see that, to acknowledge that, then we lose - and by we I mean the entire community, the organization and you too.

The Bottom Line on the Top Line

Contributing to the corporate profit (top line) is difficult.  How can a group that's traditionally been the cost center, taking in money but never really making it, help the company earn more? 

There are many innovative ways depending on whom you ask - but I like my story about how app security software testing can be used during M&A activity to negotiate a more agreeable acquisition price - that helps contribute to the company top line. 

Security, when done properly, can also help an organization reach market faster - and that always contributes to top-line profits.  I could keep going, but I'll invite others to share in the comments of this post how they help contribute to the top-line of a their organization.

No matter how you do it, this is one of the two ways to be truly part of the business... and not acting like a bolt-on.  This is what you should be working towards, as your primary motivator.

Now, knowing this, look at the list of projects you've carved out for your security team for the year - and ask yourself... how do these projects align with business objectives, and contribute to the top-line of the business? 

An interesting comment was made on a call today..."A retail store manager doesn't ask themselves how they should contribute to the top-line of the business, it would be silly..."  So I ask you - why don't we think this way?

The Bottom Line

The bottom line is a little less trick, but not necessarily less difficult to contribute to.  If you can't help the company make money, then help it save money.  Sounds rational, right?

Here's the deal, even if it's difficult to connect the dots, implementing a full Software Security Assurance (SSA) program can save the company money in the long term.  How?

  • software built more securely is more likely to be resilient in other ways - more available
  • implementing security measures in development keeps costs of re-work down
  • yearly costs associated with 'fire drill' will go down drastically
  • more coherent use of technology reduces 'shelfware' and wasted capital spend
  • ...and on, and on, and on - you get the idea

SO... in the long run, helping do things securely, that is right, is the smart thing to do, and it will save the company money, period.  You can contribute to that - you just have to measure it.  Oh, right, this brings me to my next point...

Measure it or it Didn't Happen

Too many security practitioners implement wonderful cost-saving measures, and programs that help the top-line ...but because they fail to measure these things appropriately it's as if they didn't happen.  That's unfortunate! 

Remember that the business has certain KPIs (Key Performance Indicators - which I've talked about before!) that it measures success or failure by.  But how do you know what to measure against?

Think about what the business cares about - then measure the impact of what you're doing against that. Look at your board-level directives, the things the company cares about beyond the simple "making a bigger profit" (because not every business cares about simply profits, trust me...) and find innovative ways to measure against those KPIs. 

If you're a hospital, one of your goals may be to have a higher survival rate for your emergency room.  How does your software security assurance program contribute to that?  I can think of at least a half-dozen ways right off the top of my head... can you?

The Final, Final Word

So, in the end, it's about 3 things.  The top line, the bottom line, and measuring your impact against business KPIs.  If you're not 100% clear on just how to do that, join the #SecBiz conversations (See Twitter hashtag #SecBiz) and we'll help get you there. 

Ask a friend, find a mentor, or join the group dedicated to it... doesn't matter how you get there, just get there.  Your business and your career depends on it.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Enterprise Security Application Security SSA Software Security Assurance Infosec Resilience SecBiz
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.