Article by Michael Thelander
In the next few weeks and months we’re going to talk a lot about “connecting” stuff.
We’re going to use the phrase “Connecting security to the business” with almost annoying frequency. Not to be annoying, but because it’s important. Because it can change the way the business views security, and the way security views the business.
This begs a primer of sorts: What do we mean by all this “connecting security to the business” talk?
What Dis-Connected Security Looks Like:
- “We bought some of that next-gen firewall stuff … it doesn’t impact users and it’s fun to play with.”
- “I treat every business unit the same. I use the peanut butter approach to cover everything.”
- “The business keeps making decisions that impact security and force me to play catch-up.”
- “I told them their servers failed CIS benchmark 1.9.6 for anonymous SID/name translations. They looked at me like I was speaking Greek.”
- “I avoid conversations outside of the IT security or risk groups.”
The other side of the coin demonstrates what “connected security” is all about. It’s less technical than it is relational. It’s more about the business than it is about the technology or the threat-du-jour.
What Connected Security Looks Like:
- “I know what the businesses’ Top 3 initiatives are for the year…and so does my team.”
- “And we’re developing a plan to support them.”
- “I like it that business units come to us and ask risk questions because they know we won’t peddle FUD.”
- “The business trusts us to provide an objective measure of security posture.”
- “We’re seen as business enablers.”
- “I like taking conversations about IT security to sales, finance and fulfillment.”
That’s probably enough primer for now. The story will get clearer as we unravel more of it.
Cross-posted from Tripwire's State of Security