Let's Be More Positive about Security
By Brian Boyd (CISM), Director at i-confidential
In my work as the principal consultant and account director at i-confidential, and with many years in various areas of cyber and information security, I have dealt with a lot of different clients. Some are large financial organisations; some are small technology companies. Some have large budgets; others are more modest. Regardless of these distinctions, I always tell them the same thing. It doesn’t matter where you are now. It matters that you know where you are.
It sounds like some bad career advice, yet you can’t even start improving your security position without understanding where you sit just now. This is not about the sky falling - the traditional security marketing message that I think is overused and often too negative. The positive view is that by knowing how mature your company is today in the relevant control or risk areas, you can prioritise where further investment is required.
Understanding the whole picture is important. Often in life we deal with hobbyists - those who prioritise one area above all others because of their specific interests or in-depth skills and knowledge. I see that frequently when speaking to people in the various parts of the organisations I work with. That passion is great and should be nurtured. Care is required, however, to ensure it doesn’t detract from all the other components that may be just as important.
Presenting that ‘whole’ security position makes a much better business case than simply looking at a new shiny toy - as nice as it may be - because you are telling a story. Not as the marketeers would necessarily like you to tell it, but one that is based around the actual risk profile of the business. That story simply explains where the organisation is and the best way forward. A much more powerful, holistic, and positive message.
This approach also allows you to discuss with the board why the organisation should spend what you are suggesting they do spend. This has two benefits right away. First, you are educating and aligning understanding of your security domain. I’ve never been to a board that is not interested. Secondly, if the money isn’t available right now, it gives you the opportunity to highlight what that means in terms of risks. The organisation can then consciously accept them because they know and understand the implications or act. All positive things.
I have completed comprehensive security reviews for many organisations. In all instances I can say that positive action (and by action I do mean 'funding') was taken off the back of those reviews.
Why? Usually, that was the first time everyone really understood the position and discussed it openly. Instead of buying into fear and uncertainty, people embraced the positive nature of the review, which in turn encouraged positive decisions. There was the ability to focus on clear priorities. As a result, those concerned tend to come out feeling much more engaged and motivated.
After all, who doesn’t want to improve?