What are security professionals doing wrong that they can’t connect and communicate with their businesses’ senior management, asked Brian Honan (@BrianHonan), Principal of BH Consulting in our conversation at the 2013 RSA Conference in San Francisco.
Honan’s solution for the security industry is to hack senior management. Here are a few of his tips:
Understand the system: To hack anything you need to understand how the system operates. Understand where the senior management is coming from. Read the business plans and the annual reports. What drives senior management to do what they do?
Make security an enabler: Don’t let security come in the end of the discussion of what the business wants to do. Get ahead of the conversation so you’re in the process helping them drive the success of what they want to get done.
Get ahead of the issues: Once you understand what the business is trying to do. Instead of saying no, explain what you would have to do on the security side to make it possible.
Be more positive: Security is often seen as a deep dark hole that money just goes into and never comes out. Don’t play that role. Be more positive and show that you’re eager to use security to help the business succeed.
This is all nice and sounds great. This is where security wants to be, but the question is how to get there. If the items here are ever going to be realized, the humans involved need the right tools, tools which they currently do not have.
In most cases i don't believe security has direct influence on decisions because of a lack of trust. Security has been quite severely demoted in many cases. So whereas it's nice to think that we have some influence, in most cases security only exists because some external auditor says it has to exist. And security teams only have themselves to blame for this.
The root of it all is trust, and lack of. Taking one of the points here: "Instead of saying no...[MBA rhetoric]". Saying "no" is fine and in fact i want to hear security say no more often. The key is the level of confidence in the message delivery. Saying "no" with fake "i have to sound confident" confidence does not work. But where is the security manager's confidence going to come from ? They're backed by tools which are either useless or deliver inaccurate automation, and humans with the wrong skills.
When there is a lack of confidence, the answer will always be "yes".
If we can get the right skills back in security and accreditations to prove the skills, the items on this list will just happen. But before we're at that point, to try and act in this sort of "hack the c-levels" way will be counter-productive, and has clearly been counter-productive.
I agree with your sentiment - the point of infosec staying away from the habit of being the "house of no" is in part so that we have more influence from the beginning of a project, not as an after thought while everyone is anxiously waiting for something to launch, and expecting us to greenlight it because of time/budget constraints, which demonstrates that they don't understand our purpose.
Sure, they understand when stuff get's hung up in Legal, as everyone understands how costly a lawsuit is, but they fail to anticipate how costly a security event can be.
We need to educate them, from top down (C-level). Let's not be the "house of no" - let's be the house of "if you want to do that, we can show you how to do it securely from the get go...
(PS - This is Anthony M. Freed responding for Tripwire in my new capacity there... Cheers Ian!)
Sure Anthony, and its all good. Brian's comments are fine and this is how the inertia should be directed, its just that in many cases security will have burned its ticket to see C-levels many years ago. The question is how to get a new ticket?
This is at least the situation i've seen many times. Security _used_ to report to the CEO, but then reports to someone in ops. Actually after 2008, i heard stories of security teams being disbanded altogether.
The situation you described is oh so real and spot on in many cases. Security is in exactly this position - perhaps not even knowing of a major new project until the Change Record pops up in the security queue 24 hours before launch.
Anthony M. Freed
Exactly - that's why it is so very important we learn to connect security endeavors to the primary business objectives, so we stop looking like a cost center, and start being treated like an integral part of business ops... I mean really, IT is not going away, it's not a momentary trend, so why should security continue to be treated like a vestigial appendage? As a wise old man said: "Run, you fools!"
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.
Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.