Like many of you, I've discovered that security has become cocktail party conversation. Inevitably, when I mention what I do for a living, people respond with something like, "Wow, business must be booming!"
Yes, security is getting more media attention, but that doesn't necessarily translate into bigger budgets or, in the case of consultants and security vendors, more revenue. I've spent the better part of the last year trying to figure out why this disconnect exists, and I think I have the answer. In spite of everything that's happened, and no matter how hard we push, information security doesn't matter.
Now, before the infosecurity mafia comes to revoke my credentials, let me clarify. Sure, security matters, especially to security pros. But most senior executives at Fortune 500 companies think about security in terms of physical security and business continuity, with a passing interest in computer security. There are obvious exceptions, but information security has yet to become the boardroom issue we'd hoped it would.
Why? Because we think of ourselves as security practitioners first, technologists second and businesspeople third (if at all). We consider our jobs extremely portable; whether we work for a bank, a pharmaceutical company or a consulting firm -- the job is pretty much the same.
The problem is that our security-centric view of the world often comes at the expense of the business itself. For years, we've been saying that the goal of security is to protect the assets of the company. But if we truly had the objectives of the business at heart, the goal of security would be to ensure the company's ability to grow and fulfill its mission in the face of a changing risk environment. To do so requires us to think of ourselves as enablers of corporate strategy, as opposed to "defenders of the faith."
Roadmap to a mindset
The good news is that there are numerous tools at our disposal to help us execute on this strategy.
Metrics: Many CISOs claim that metrics serve no purpose in infosecurity, for two reasons:
- We don't have a way to measure qualitative things like policy development and awareness
- There are no quantitative measures of event occurrences, so we can't calculate statistics like annualized loss expectancy (ALE).
To both of these claims, I'll quote the eminent philosopher Snoopy: "Ptui!" We shouldn't care about risk incidence; we should care about the resilience of the business in the event of an exposure. Risk happens. Instead of trying to minimize the chance of it happening, we should focus on limiting its impact when it does.
Business resilience: You'd be amazed at a how simple a concept this is, and equally amazed at how difficult it is to see. There are a number of core things (processes, capabilities, characteristics, etc.) that drive a company's earnings and success. For example, in a service company, it might be the ability to maintain senior-level relationships or attract high-level staff. In a manufacturing firm, it probably has to do with supply-chain management. In each case, these items have an incredibly high "cost of failure" -- that is, the loss of that capability/process/characteristic would have a devastating impact on a company's earnings.
Yet, as we've seen with a number of companies, these earnings drivers are often underprotected while other areas are overprotected. In one case, a company was spending $50 million a year to protect a process that had a cost of failure closer to $8 million. Guess what? That company just found $42 million to be reallocated.
Six Sigma: General Electric, Motorola, Honeywell and others have spent years trumpeting the value of Six Sigma as a quality tool. Many companies have begun applying it to their business processes.
As the rest of the organization begins to think this way, CISOs need to look at how their internal security processes can be improved. I've seen Six Sigma applied to security operations, provisioning and even policy development processes -- often with dramatic financial benefits.
The sooner we can stop thinking of security as something that's "different" -- something that doesn't fit into the traditional business mold -- the sooner businesses will start taking us seriously. That time is now.
About the author: Anish Bhimani is a senior associate in the Global Assurance group of Booz Allen Hamilton and the author of Internet Security for Business (Wiley, 1998).