The title of this blog is the subject of a presentation I gave yesterday to the IISyG. I took a deliberately provocative stance, making a point that security is not there to enable the business, it’s there to mitigate risk. That is not the same thing: it’s cost, expense, and time and we only do it because we have to.
What was interesting was the vociferous counter-argument, especially from those present from the financial services industry who made the point that many of their services would not be publicly acceptable nor acceptable to their regulators without solid built-in security and so in their case it’s an enabler. Yes, I agree, however, doing something because you have to is not the same thing as doing something because you want to. The financial services industry is the same as other industries in that profit is the driving force and if they could get away without the additional cost and expense of designing stronger and better security then they probably would.
I don’t think there is anything wrong in admitting that we “do security” because we have to. The trick is in the way the work gets sold within the business. Too often security professionals try to justify costs by presenting vague ROI figures or metrics such as firewall logs showing the number of intrusion attempts. The problem with this is that the finance director will laugh your ROI data out of his office and nobody outside of the IT department is going to be a) interested or b) able to understand the significance of a pie charted extract of the firewall logs. If you want to convince the business then you have to cut out the techie chat. The key points I made are that we need to
– Take a risk based approach
– Focus on business needs
– Talk the language of the business
– Don’t make wild statement about cost savings and ROI
– Work to reduce costs
– Put risk assessments into context
– Present a decent set of meaningful security metrics
One of the interesting notes that came out of the discussion was the impact of using the word “security.” This seems to be the passion-killer. Talk about “risk” and “compliance” and “governance” and the view is that it’s much easier to get business buy-in. Talk about “security” and it’s considered to belong in the IT department or checking passes at the main entrance.