We’re Not the Secret Service
By Stephen Hughes, Senior Information Security Consultant at i-confidential
When I talk to people about cyber security, those outside ‘the circle,’ they invariably give a nod and wink, and refer to the fact that it must be terribly complicated and secretive. The ‘fact’ is that at times cyber security is a necessarily clandestine operation. But, on the whole, it doesn’t need to be at all. We must all strive to make it a more accessible and transparent discipline.
As security professionals, it’s all too easy to either airily understate the complexity of what we do, or worse still, make it more complicated than it needs to be.
The most important stakeholder group for almost every security remediation programme is often overlooked – the business. I previously worked with a client on fixing some third-party website security risks. Now, some of those risks were technical and some were not. They all needed the business, however, to accept and implement the solutions themselves. That could, for example, entail working with a third party to implement a technical control or building better internal processes.
As subject-matter experts, we just love finding the broken stuff and telling the business to fix it. It’s not that simple, and we consistently overestimate the capability of the business to understand the breadth and depth of the risks. What we may find a simple fix, such as implementing IP filtering with the third party, will more often than not turn out to be quite challenging for our business colleagues.
It’s not good enough to say, ‘Here’s the guidance. Just go and speak to the network team. They’ll sort you out with some nice IP solutions.’ The fact is, that unfortunate person might not even know what IP stands for, and less so why filtering it even matters. Risk remediation is only effective if all stakeholders understand the risk and how to go about fixing it. If there is a significant lack of understanding, or no opportunity to clarify, it’s quite likely that the security gap you are worried about won’t get plugged.
We need to invest more time than we think in making security relevant and understandable to our business colleagues. We need to give them the opportunity to safely ask the supposedly stupid questions, such as, ‘What does IP filtering actually do?’ or ‘Why do I need to worry about access recertification again?’
Our job as security professionals is not to obfuscate the subject, but to strive to make security a tangible business issue. Despite sometimes revelling in the impression, for most of us, we’re not the Secret Service. We should always be as open and transparent as we can. We can’t succeed without building proper engagement with the business community, and harnessing their full capabilities.