I was perusing the blogosphere and came across a post written by Sam Dekay over at BlogInfoSec.com.  Apparently it was sparked by the recent laying off of a friend.  The post focused on where Information Security fits within the grand scheme of any organization.  In the case of Mr. Dekay’s friend, that company was reassigning information security functions across several existing areas rather than have them assigned in one area.  The Office of the Chief Security Officer was to no longer exist. 

Apparently the company didn’t see the value in having the responsibility for security residing within a single department or person.  As information security professionals we want to make sure that everyone in an organization realizes that they share in the responsibility to use and protect information appropriately but this protection needs to be coordinated in order for it to be effective.

I’ve touched briefly on where security should fit into the organizational structure in Nomenclature and Where should the CSO or Network Security Reside within the Corporate Structure?.   This problem also seems to exist across all industries (See The Guerilla CISO Blog: Needed Agency CSOS), so the question is now becomes why. 

Many of the business drivers associated with information security are negative drivers.  Compliance issues or responding to a security incident are reactive in nature not proactive.  Somehow we have developed an approach that is fed by negative incidents rather than positive incidents.  We spend so much time just trying to stabilize what we are doing that we can’t seem to move forward and as such are seen as a drain on a company rather than an asset to be utilized.  This is all part of what I call the Silver Bullet Mentality.

The Silver Bullet Mentality involves the mindset that security issues can be solved by technology.  “If only we could find that product that does X our problems would be solved.”  This mindset has typically resulted in declining revenues (information security is commonly an overhead function which eats into the overall profit margin).   Since security is seen as a technological issue our value as trusted advisors is limited to technology.  That has relegated us to overhead status that can be cut when the company tightens its belt. 

One of the reasons that I like the term Information Risk Management is that it implies that information, and the protection thereof, needs to be managed.  It incorporates the concept that the appropriate protection of information involves people, process, and technology. 

We first must understand the people part of the equation.  This includes understanding the nature of the business and the people involved with that business (both employees and customers).  From people we move on to the processes involved in meeting business needs and demands and finally on to the technology which can be defined as the tools used to facilitate the processes.  This type of model has been used in many different ways and is no way unique to Information Risk Management. 

The difference is that instead of using negative drivers in an effort to drive security, we are using security to drive business.  The arguments that we, as an industry, have been using (we need to do this or we’ll be hacked, or we’ll fail the compliance audit, etc) just don’t work anymore (if they ever truly did).  The executive level isn’t motivated by fear, their motivated by achieving a goal.  We need to show how we can not only support business but how we can contribute to improving how our organizations do business.  It is in that way that we move from being seen as an impediment to being seen as an asset. 

I was talking with Abe Chen, a friend and former cohort member in Norwich University’s MSIA program, about the successes he has had in redefining the value of information risk management to the executive level of his company.  “Make friends with Sales and Marketing” he said.  “They know what is resonating with customers and partners.”

“I decided to reach out to Sales and Marketing while working on a particular project.  When I did they (Sales and Marketing) immediately saw the benefit that information security could bring to how they portrayed the company to new customers and partners.  They knew they could use it as a market differentiator.”    

This isn’t a one way street either.  Sales and Marketing can give you valuable insights into what makes your company competitive thus giving you the insight and information on where you can to contribute to business improvement.  

“The added benefit to reaching out to Sales and Marketing was that as soon as they realized the benefit my project (and information security) would provide, they were able to sell it to management.”    Abe relayed. 

How much more powerful would your next budget request be if you had a profit generating department in your corner with you; making the case for you? 

Going back to the BlogInfoSec.com post, it is unfortunate that Mr. Dekay’s friend was laid off.  While I don’t know the specifics of why his department was made redundant, I can only speculate that his management didn’t fully appreciate the value information security brought to the company.  We should let it serve as a lesson to all of us that we need to either learn the language of business or risk being made redundant ourselves. 

This is another question that I have received via email.  As with many questions, there are no generic answers.  My answer is typically “It depends.” So much depends on the organization and its corporate culture.  That said, here is my attempt to generically answer the question. 

As I am sure everyone involved with this discussion will argue, at least on even par with the CIO. I agree with that argument whole-heartedly but the sad reality is that all too often the CSO or Network Security group is an element of the IT department under the CIO. The line of thinking that places us there is that since the devices we oversee are IT assets, that is the most appropriate place for us.

Ideally the CSO should answer directly to the CEO or COO and be on the same level or above the CIO. That said, not many of our colleagues sitting in these positions find themselves so positioned. The trick becomes how to be effective from a disadvantageous position.

Network Security should enable business, not hinder it. Why not leverage this to push our agenda. As an enabler, we need to facilitate change through sound business practices and by becoming the ultimate team player. That does not mean compromising our ethics with regard to security. In my opinion, anyone who finds himself in a position where they need to compromise their ethics probably was ineffective in delivering or framing their argument for security.

A good leader is also a good listener. Listening to the needs of business and formulating ways to meet the business need while being secure is the key to success in the CSO position. Granted, there will be times where we may find ourselves up against roadblocks and we cannot win every battle. An occasional roadblock or defeat can be dealt with but if we are faced with a systematic disregard for security then we need to ask ourselves two questions: Why did the company really create this position and why do I really want to stay here if I am not being effective?

I like beer (bear with me here – I’ll tie back into the topic). I use to have a girlfriend back before I got married who hated beer. While she didn’t have a problem with me having a few cold one’s occasionally, she kept asking me why I liked beer. She just couldn’t understand how anyone could like the taste. I told her that she just hadn’t had a beer she liked yet but that there were hundreds of different varieties. She of course didn’t believe me until I cooked dinner for her one night. At dinner, I served a Raspberry Lambic (beer). She commented on how wonderful the dinner was (I went to Culinary School after college, classically French trained) and how wonderful the Raspberry Champagne was, wherever did I find it. Imagine her astonishment when I told her that it wasn’t champagne but beer.

The point is that my ex-girlfriend thought she didn’t like beer but in reality she just hadn’t tried a beer she liked yet. Information Security is a lot like that.  If you keep serving up the same old beer time and time again when you know that your boss doesn’t like it then you deserve to have it thrown back in your face. By switching tactics and attempting to give your boss something that they think they want and then tell them that not only does it taste good but it something that they thought they didn’t want in the first place will probably be met with a different outcome.

We need to be educators.  We need to deliver our message in such a way that we keep our audience receptive to what we are saying and educate them in why this should be important to them. If we are “organizationally challenged,” that does not mean that we cannot be effective; the job is definitely harder but nothing worthwhile is easy.

Often the org-charts place security where the organization feels it best fits. This is sometimes indicative of the importance the organization places on Information Security (and sometimes it is just where it is without any meaning whatsoever). Our jobs are to change that perception, relate what we do to our business’s mission, and show that by adopting secure practices business, the mission will become more effective.  In short – our jobs are to educate.