martin mckeay, mark nunnikhoven, damien tommasino, boris sverdlik, rafal los, white rabbit, network security podcast, business, security, teach, risk, awareness, executive, panel, discussion, roundtable, scott wright
You are not logged in. Access is limited. Login or see membership information. • Streetwise Security Zone Community

To see the list of all blogs, including Scott Wright's Security Views Blog and the Streetwise Security Zone Podcast click HERE. You also can subscribe via an RSS reader, or check the "Watch This" box in the left column to receive news by email of new articles.

  Scott Wright's Security Views
Blog Entry

What Do Security Practitioners Argue About When Nobody is Watching?

Wednesday, June 22nd 2011 @ 9:50 AM (not yet rated)    post viewed 28497 times

Martin McKeay, who hosts the Network Security Podcast (and one of the originals who inspired me to get into blogging and podcasting) hosted an interesting round-table discussion on June 7, 2011, on the topic of “Which is easier: teaching security guys about the business issues, or teaching business people how to do security?”

The knock-em-down-drag-em-out panel included:

Rafal Los (click HERE for his White Rabbit blog)

Boris Sverdlik (click HERE for his Jaded Security blog)

Mark Nunnikhoven (click HERE for his blog)

Damien Tommasino (click HERE for his Security Nut blog); and of course

Martin McKeay (click HERE for Martin's blog; and HERE for the Network Security Podcast)

This discussion illustrates exactly how security guys like to argue. I was really impressed that these guys each brought a slightly different viewpoint to the discussion. The most encouraging things about this 1-hour podcast are that it’s begging for more cross-pollination between business executive management and security professionals. The discussion included topics such as:

  • “Return on Security Investment”, and how recent breaches are starting to provide us with some kind of useful data
  • Pondering certifications for the business side of security practice
  • The issues with “bolting security onto the System Development Lifecycle”
  • The need for a Chief Risk Officer
  • The right and wrong kinds of Fear, Uncertainty and Doubt (FUD) to spread
  • The issues of how a small business deals with security versus business objectives

There were many other very insightful comments that should be of interest to anyone concerned about security and risk within their organization.  I found myself wanting to jump in, at times, to add my two cents worth. But of course, I couldn’t. So, I’ll add my comments here.

Scott's Comments

Mature security professionals often seem to have a healthy, burning need to ensure that the business management ranks in their organization understand: (1) What they have at risk,  (2) What’s being done about it, and (3) Why.

I think continued effort in this area is the key to making progress in the short term. There were some good suggestions in the panel regarding things we’d like to see happen across the industry to address the root causes of our security deficiencies. But one of the most effective ways to get the business part of an organization on side with security is to start a mature, high level discussion with executives about business risks. This can be done in the short term, in any organization. I'm a bit surprised that this idea wasn't mentioned in the panel discussion.

This kind of high level conversation with an executive is not something a brand new CISSP certified security professional can easily do.  You have to have experience in at least a few relevant projects, and you have to understand the business impacts of current vulnerabilities.

Credible Conversations With Executives

Credibility is critical. You have to be able to offer something like the following wisdom to an executive when you have them alone in a room: “We have a weakness in our customer identity management security. A similar kind of vulnerability has led to catastrophic breaches at , and it could happen here. What many organizations are doing to mitigate this kind of risk, as well as future, unforeseen risks, is to have a comprehensive risk management plan…” 

This is just an example of such a starter conversation with an executive. Being able to connect the dots and translate the issue into business risks and relevant consequences implies that we need seasoned security professionals in key roles. I don't think it's really a matter of certifications. Believe it or not, executives like to listen to people who’ve made mistakes in relevant areas before (or at better yet, worked with people who have made those mistakes). In a small organization, there may be nobody who is willing or able to have this conversation. But you can get help from  security consultants with business to do this.


Another suggestion I have for getting security and business organizations to work together within an enterprise is that, for larger organizations, a two-in-a-box approach can work very well. I’ve seen this work well within the Government of Canada. Typically, on the IT side of a department, there is a security professional who reviews all project deliverables and looks for impacts on risk. This is what we call the “System Security Engineer”. On the business side, the key business manager might have a delegate who is responsible for Enterprise Risk Management. This is somebody who knows how to communicate risk issues to the executive, and to whom the executive will listen.

All security risks that are important, by definition, must have an impact on enterprise risk. So, a close, constant dialogue between business risk management and IT security risk management allows for faster response to threats, as well as more appropriate security safeguards for the organization’s business processes.

Awareness at Two Levels

Of course, education and awareness is also a key enabler of security and business communication. In my view there are two kinds of awareness that should be addressed. The first is the executive awareness of high level risks to the business, such as I described above. The second is the more traditional security awareness education for staff at two levels: general awareness and workflow-based awareness. These are areas in which I’ve worked for both public and private sector organizations.

With respect to the high level risk awareness issue, it’s not until this awareness of relevant business risks happens that management will commit any real support for investment in a security or risk management program. This is the time when I’ve seen that a little bit of FUD – appropriately sanitized and fed to executives – can help to grease the wheels. But there are a few real dangers to be aware of in making this kind of awareness pitch:

  1. You can’t make anyone look foolish for not being aware of these issues before
  2. You can’t allow a witch hunt to be launched when internal examples or data are used to make a point about current vulnerabilities
  3. You must constantly repeat that security risk management is a continuous business process that will help management become more pro-active.

There are other critical success factors, for sure. But these are the ones I’ve seen that are super-important to consider.

Let's Talk More

I’d love to be involved in these kinds of round-table discussions in future. So, if you are holding one, or just want to have a facilitated session between management, IT security and user representatives, please let me know. I’d be happy to participate.


Scott Wright

The Streetwise Security Coach

Phone: 1-613-693-0997
Scott Wright on LinkedIn 

To download my FREE Security Management Resource Guide now, and to receive my series of Streetwise Security Tips, as well as my Streetwise Security News and updates click HERE.


Site Meter

 rate this post: very bad poor average good fantastic!

LPamelaA said on Wednesday, June 22nd 2011 @ 1:29 PM:

Very interesting analysis Scott, and your point about security professionals needing to interact more regularly and effectively with the business side of the house is dead on. My company, Symantec, works with our customers’ CISOs, internal IT staff and channel partners to help them foster a culture of security awareness with everyone in the company. Too often, employees don’t hear from the CISO or the IT department until after the organization has been hit by an attack or suffered a breach.

Group Administrator
ScottWright said on Wednesday, June 22nd 2011 @ 2:41 PM:

Thanks for the comment, Pamela. Welcome to the Streetwise Security Zone.

That's a good point about your team working with clients. Businesses in the security industry must really consider how to educate clients without scaring them away, or using up their entire security budget on a single part of the security environment. It's similar to what I described, but maybe even more sensitive, if you want to have a long-term relationship with the client organization. Whether it's an internal or external relationship, your credibility will determine how successful you are with having those conversations.

I'm looking forward to seeing more insights from you here in the future.

DavidB said on Thursday, June 23rd 2011 @ 12:09 PM:

I've spent most of my working life in engineering and have come into contact with many companies who have taken different approaches towards SAFETY with differing results.

The most successful make safety a "culture", not just an add-on.

I see security in exactly the same light. People make far better decisions if those decisions are "informed", and we make decisions on a regular basis in our normal use of computers that could impact security.

The more people are engaged in the subject, the better they are informed, the better the results.

Copyright 2012. Security Perspectives Inc. All Rights Reserved.