As a security practitioner, if you have, at some point in your career, had to answer the question: “why should security always impose difficulty on legitimate business users?”, you’re not alone. A lot of business users struggle to see the values that security adds to the business. It’s neither their fault not their responsibility to figure it out but the security practitioner’s job to make them see what security brings to the table.
Nearly everyday, we read or hear about attackers gaining unauthorized access into corporate computer systems and helping themselves to a heap of business critical data on their way out. Stories like this are easily comprehensible but telling the business users that “this could happen to us” just doesn’t cut it. Enterprise defenders need to be able to provide reasonable rationale for every action they take or urge the business to take. Information security controls, where appropriately deployed, will always enable (rather than inhibit) the business. For instance, where attackers seek to gain unauthorized access into the corporate network via any of the available multiple entry points, a defender who identifies and reduces the number of possible entry points to his/her enterprise network limits the available attack surface area. It is the responsibility of the practitioner to educate the business on the potential consequence of not implementing appropriate control.
To get upper management on your side as a security practitioner, you should, at a minimum be able to answer the following questions:
- What are the business objectives of your employer?
- How would information security help your organization realize those business objectives?
- What (and where) are your mission critical information systems?
- Why would an adversary want to attack your organization?
- What are your highest priority information security risks and their corresponding mitigation steps?
These are common questions that every information security practitioner should be familiar with but what separates a great practitioner from a good one is how the answers to these questions are articulated to key decision makers within the business.
Given that they read and hear about data breaches all the time, business leaders know that it’s nice not to get hacked but they also know that it’s nicer to increase profit margin. Because many organizations can conveniently withstand isolated cyber security incidents, if given a choice between getting hacked and maximizing profits, many business leaders will pick the latter all day long. This should not surprise anyone, afterall a business exists first and foremost to make money, not to be secure. With that said, a security practitioner with good understanding of the business model should be able to advise upper management on the type of security incidents that could hurt the business for years. One thing common to many organizations is that they don’t know what their risk tolerance level is. An experienced security practitioner earns his/her money through close collaboration with business leaders to determine the organization’s appetite for risk – at least from the standpoint of information risk.
By definition, risk is probabilistic and so is security incident – it may happen, it may not happen. Based on several factors unique to his/her business environment, the information security practitioner needs to be able to advise business leaders on the likelihood of a security incident occurring and the corresponding business impact should it occur. In an environment where information risk appetite is already well defined and understood, upper management can then make well-informed decisions on risk treatment approach or technology investments in security products.
To be successful as an information security professional, broad perspective, good communication skills and strength of character are some of the required major attributes. Security practitioners should not be instilling unfounded fears through buzz words and technical jargons. Rather, those words should be decomposed and explained in terms that the “layest” of men could understand.
To give yourself a chance to be understood, try translating complexity into simplicity before entering that meeting room this morning.