Not the business for InfoSec.
Information security practitioners come in many different types. There are the IT risk assessors who have never set a static IP address and firewall admins who have never heard of residual risk. From security administrators to compliance officers, information security wears many faces. Regardless of what domain is the emphasis, information security has one primary goal: Serve the Business.
Yes, that probably seems obvious. They’re paying you to be there, so you ought to do your best to support the company. But it’s human nature to see things through your own lens. An individual’s area of expertise is most likely to be the area that individual deems most important.
The leaders of an organization have many concerns to balance. Take a few major threats facing an airline for example:
- Gas prices rise, and we lose money on tickets we’ve already sold
- Gas prices fall, but we pre-paid for gas, and now our competitors can undercut us
- Disease scare, nobody wants to fly
- Terrorist scare, all flights shut down
- Low-price competitor moves into our region and takes our market share
- Pilots/mechanics/flight attendants go on strike
The list can get much longer (and more accurate I’m sure), but the fact is, the top threats to an organization are not technical in nature. They are determined by the landscape of their industry.
As information security practitioners it’s our responsibility to find and report technical vulnerabilities where we see them. I believe we are good at this. It’s what we enjoy. But after we have reported the vulnerability and made sure its risk and scope are known, it’s no longer in our hands. The business must decide which risks to mitigate first.
What does this look like in real life?
You find a huge SQL injection vulnerability in your company’s publicly accessible web application. You have figured out a way for an authenticated user to return the financial records of all your customers. You type up your finding, schedule a meeting with executives to report the issue, and eagerly await the word that it will be development’s number one priority. But, for some reason, the developers are not jumping directly on this finding. They’re still working on that new product that is due to ship next quarter. You see this happen a few times and become disheartened. It’s at that moment you need to remember: information security exists to serve the business, not the business to serve information security.
You were not a part of the meetings, but the executives weighed the risks and rewards of going forward with their new product launch versus fixing the bug you found. What they know, and you don’t, is that if they don’t get that product released on time they lose market share. That new product will infuse the company with the cash needed to stay afloat (and keep your job). The impact of someone exploiting your vulnerability may be high, but the probability is low, so it needs to be pushed off.
Maybe your company gets breached, maybe it doesn’t. But at least the company survived to address the breach, instead of missing payroll and closing the doors. It’s still there to address the issue and move forward. These are the types of difficult decisions the business leaders have to make.
Who are you anyway?
A good information security practitioner is more than technical. We need to be business people who happen to have technical skills. It is our job to inform management of the risks and educate them on the solutions, but it is management’s job to prioritize and provide resources.
Connect with Robb on Google+