I was perusing the blogosphere and came across a post written by Sam Dekay over at BlogInfoSec.com. Apparently it was sparked by the recent laying off of a friend. The post focused on where Information Security fits within the grand scheme of any organization. In the case of Mr. Dekay’s friend, that company was reassigning information security functions across several existing areas rather than have them assigned in one area. The Office of the Chief Security Officer was to no longer exist.
Apparently the company didn’t see the value in having the responsibility for security residing within a single department or person. As information security professionals we want to make sure that everyone in an organization realizes that they share in the responsibility to use and protect information appropriately but this protection needs to be coordinated in order for it to be effective.
I’ve touched briefly on where security should fit into the organizational structure in Nomenclature and Where should the CSO or Network Security Reside within the Corporate Structure?. This problem also seems to exist across all industries (See The Guerilla CISO Blog: Needed Agency CSOS), so the question is now becomes why.
Many of the business drivers associated with information security are negative drivers. Compliance issues or responding to a security incident are reactive in nature not proactive. Somehow we have developed an approach that is fed by negative incidents rather than positive incidents. We spend so much time just trying to stabilize what we are doing that we can’t seem to move forward and as such are seen as a drain on a company rather than an asset to be utilized. This is all part of what I call the Silver Bullet Mentality.
The Silver Bullet Mentality involves the mindset that security issues can be solved by technology. “If only we could find that product that does X our problems would be solved.” This mindset has typically resulted in declining revenues (information security is commonly an overhead function which eats into the overall profit margin). Since security is seen as a technological issue our value as trusted advisors is limited to technology. That has relegated us to overhead status that can be cut when the company tightens its belt.
One of the reasons that I like the term Information Risk Management is that it implies that information, and the protection thereof, needs to be managed. It incorporates the concept that the appropriate protection of information involves people, process, and technology.
We first must understand the people part of the equation. This includes understanding the nature of the business and the people involved with that business (both employees and customers). From people we move on to the processes involved in meeting business needs and demands and finally on to the technology which can be defined as the tools used to facilitate the processes. This type of model has been used in many different ways and is no way unique to Information Risk Management.
The difference is that instead of using negative drivers in an effort to drive security, we are using security to drive business. The arguments that we, as an industry, have been using (we need to do this or we’ll be hacked, or we’ll fail the compliance audit, etc) just don’t work anymore (if they ever truly did). The executive level isn’t motivated by fear, their motivated by achieving a goal. We need to show how we can not only support business but how we can contribute to improving how our organizations do business. It is in that way that we move from being seen as an impediment to being seen as an asset.
I was talking with Abe Chen, a friend and former cohort member in Norwich University’s MSIA program, about the successes he has had in redefining the value of information risk management to the executive level of his company. “Make friends with Sales and Marketing” he said. “They know what is resonating with customers and partners.”
“I decided to reach out to Sales and Marketing while working on a particular project. When I did they (Sales and Marketing) immediately saw the benefit that information security could bring to how they portrayed the company to new customers and partners. They knew they could use it as a market differentiator.”
This isn’t a one way street either. Sales and Marketing can give you valuable insights into what makes your company competitive thus giving you the insight and information on where you can to contribute to business improvement.
“The added benefit to reaching out to Sales and Marketing was that as soon as they realized the benefit my project (and information security) would provide, they were able to sell it to management.” Abe relayed.
How much more powerful would your next budget request be if you had a profit generating department in your corner with you; making the case for you?
Going back to the BlogInfoSec.com post, it is unfortunate that Mr. Dekay’s friend was laid off. While I don’t know the specifics of why his department was made redundant, I can only speculate that his management didn’t fully appreciate the value information security brought to the company. We should let it serve as a lesson to all of us that we need to either learn the language of business or risk being made redundant ourselves.
Entries (RSS)