Security Think Tank: Infosec and the business – the symbiotic relationship

How can information security make business sense?

I am tired of the mutual finger-pointing between infosec people and the business.

Between accusations of “silly techies, obsessed with detail” and “stuffy suits, shooting from the hip”, the progress of information security as an integral business discipline has been slow.

Infosec professionals have been spending the past decade trying to get the business to “get it”. 

Helped along by high profile security breaches and the predictable lagged effect of a tightening of regulation (a la DPA, PCI DSS, etc), they have concentrated on running awareness programmes, while lurching sometimes back to selling FUD (especially the suppliers).

The business, on the other hand, has been trying to get security professionals to speak the language of risk and has tried to cajole the profession into producing more and more metrics, based on the adage that you cannot manage what you cannot measure.

Both approaches have merit and have contributed to shrinking the no-man land in between. However, the secret to a successful relationship is to recognise each other’s differences and to divide work in a way that plays to each other’s respective strengths.

Imagine the exosymbiotic relationship between a whale and the cleaner fish. Without one living in the other’s body and without speaking each other’s language or using the same measurements of success, the relationship is mutually beneficial.

The cleaner fish are not expected to support the whale in the business sense. They are not there to make it swim faster or deeper, neither are they there to boost some other bottom line. The cleaner fish perform a necessary hygiene function, but it’s up to the respective whale to do its best to be successful in the wider ocean (read market).                                 

So, my proposal is that the business and the infosec profession need to start behaving like symbionts in a relationship. One depends on the other for funding, access and authority to get things done, while the other relies on its partner to protect its information and data and processes in order to do what it does best without mishaps or interruptions.

I think security absolutely already supports the business, but this does not mean that the relationship has to be one of subordination. Showing mutual respect for each other’s complementary skills and allowing each other space to do one's job, while being reasonable along the way, should be the key to a prosperous future together.

Ionut Ionescu is a member of the (ISC)2European Advisory Board

Read more on Privacy and data protection