What Do Security Practitioners Argue About When Nobody is Watching?Wednesday, June 22nd 2011 @ 9:50 AM (not yet rated)
Martin McKeay, who hosts the Network Security Podcast (and one of the originals who inspired me to get into blogging and podcasting) hosted an interesting round-table discussion on June 7, 2011, on the topic of “Which is easier: teaching security guys about the business issues, or teaching business people how to do security?”
The knock-em-down-drag-em-out panel included:
Rafal Los (click HERE for his White Rabbit blog)
Boris Sverdlik (click HERE for his Jaded Security blog)
Mark Nunnikhoven (click HERE for his blog)
Damien Tommasino (click HERE for his Security Nut blog); and of course
Martin McKeay (click HERE for Martin's blog; and HERE for the Network Security Podcast)
This discussion illustrates exactly how security guys like to argue. I was really impressed that these guys each brought a slightly different viewpoint to the discussion. The most encouraging things about this 1-hour podcast are that it’s begging for more cross-pollination between business executive management and security professionals. The discussion included topics such as:
- “Return on Security Investment”, and how recent breaches are starting to provide us with some kind of useful data
- Pondering certifications for the business side of security practice
- The issues with “bolting security onto the System Development Lifecycle”
- The need for a Chief Risk Officer
- The right and wrong kinds of Fear, Uncertainty and Doubt (FUD) to spread
- The issues of how a small business deals with security versus business objectives
There were many other very insightful comments that should be of interest to anyone concerned about security and risk within their organization. I found myself wanting to jump in, at times, to add my two cents worth. But of course, I couldn’t. So, I’ll add my comments here.
Mature security professionals often seem to have a healthy, burning need to ensure that the business management ranks in their organization understand: (1) What they have at risk, (2) What’s being done about it, and (3) Why.
I think continued effort in this area is the key to making progress in the short term. There were some good suggestions in the panel regarding things we’d like to see happen across the industry to address the root causes of our security deficiencies. But one of the most effective ways to get the business part of an organization on side with security is to start a mature, high level discussion with executives about business risks. This can be done in the short term, in any organization. I'm a bit surprised that this idea wasn't mentioned in the panel discussion.
This kind of high level conversation with an executive is not something a brand new CISSP certified security professional can easily do. You have to have experience in at least a few relevant projects, and you have to understand the business impacts of current vulnerabilities.
Credible Conversations With Executives
Credibility is critical. You have to be able to offer something like the following wisdom to an executive when you have them alone in a room: “We have a weakness in our customer identity management security. A similar kind of vulnerability has led to catastrophic breaches at , and it could happen here. What many organizations are doing to mitigate this kind of risk, as well as future, unforeseen risks, is to have a comprehensive risk management plan…”
This is just an example of such a starter conversation with an executive. Being able to connect the dots and translate the issue into business risks and relevant consequences implies that we need seasoned security professionals in key roles. I don't think it's really a matter of certifications. Believe it or not, executives like to listen to people who’ve made mistakes in relevant areas before (or at better yet, worked with people who have made those mistakes). In a small organization, there may be nobody who is willing or able to have this conversation. But you can get help from security consultants with business to do this.
Another suggestion I have for getting security and business organizations to work together within an enterprise is that, for larger organizations, a two-in-a-box approach can work very well. I’ve seen this work well within the Government of Canada. Typically, on the IT side of a department, there is a security professional who reviews all project deliverables and looks for impacts on risk. This is what we call the “System Security Engineer”. On the business side, the key business manager might have a delegate who is responsible for Enterprise Risk Management. This is somebody who knows how to communicate risk issues to the executive, and to whom the executive will listen.
All security risks that are important, by definition, must have an impact on enterprise risk. So, a close, constant dialogue between business risk management and IT security risk management allows for faster response to threats, as well as more appropriate security safeguards for the organization’s business processes.
Awareness at Two Levels
Of course, education and awareness is also a key enabler of security and business communication. In my view there are two kinds of awareness that should be addressed. The first is the executive awareness of high level risks to the business, such as I described above. The second is the more traditional security awareness education for staff at two levels: general awareness and workflow-based awareness. These are areas in which I’ve worked for both public and private sector organizations.
With respect to the high level risk awareness issue, it’s not until this awareness of relevant business risks happens that management will commit any real support for investment in a security or risk management program. This is the time when I’ve seen that a little bit of FUD – appropriately sanitized and fed to executives – can help to grease the wheels. But there are a few real dangers to be aware of in making this kind of awareness pitch:
- You can’t make anyone look foolish for not being aware of these issues before
- You can’t allow a witch hunt to be launched when internal examples or data are used to make a point about current vulnerabilities
- You must constantly repeat that security risk management is a continuous business process that will help management become more pro-active.
There are other critical success factors, for sure. But these are the ones I’ve seen that are super-important to consider.
Let's Talk More
I’d love to be involved in these kinds of round-table discussions in future. So, if you are holding one, or just want to have a facilitated session between management, IT security and user representatives, please let me know. I’d be happy to participate.