Successful Enterprise Information Security is about Progress
What does a successful information security program look like in an organization? The traditional answer would be something like, “Technology risks are kept to a level the organization is willing to accept.” That sounds pretty simple right? Find the places where risks are greater than we’re comfortable with, then fix it.
That type of thinking works for a point-in-time evaluation, but comes up lacking when we consider the dynamic nature of enterprise information security. Things change. New vulnerabilities are discovered, new types of technologies are implemented, and new business requirements arise. In reality, there is never a point in time at which we have adequately addressed all of our technological risks. The rate of exploit discovery and the lifecycle for fixing vulnerabilities ensures that we will always have open issues.
With that reality in mind, we need to reconsider what makes a successful security program. Security should focus not on an end goal of “good enough” but on an end goal of sustained improvement.
Security can often come across as a demanding, RIGHT NOW discipline. And there are some good reasons for it. We know that hackers could break into the network right this moment, and that gives us real urgency. The newest hacks from researchers show that even most trusted systems are vulnerable to exploit. The reasonable first response to this is to jump into action and immediately fix the issue.
But when we work with the business, the reality is much bigger than just security. Our partners in the business have to worry about losing customers because they don’t delivery our products on time, competitors out-innovating us, risks of financing falling apart, and many other business issues that could damage the business just as much (or more in many cases) as a security incident could. In the background of all these competing interests, a security manager who continues to insist that our vulnerabilities are the number 1 priority is going to get tuned out, or worse.
As soon as we stop enabling the business to produce better and faster, we become a liability.
What we can do instead is collaborate with the business to come up with a long-term plan for implementing security that does not inhibit innovation and progress by the business, and shows sensitivity to the overwhelming demands that they are often under. Yes, the plan we agree on must take the organization to a level of acceptable risk. But we can do so over months and years instead of days and weeks, show improved security over time, and develop trusted partners within the business.
Enterprise security is a service function. We exist to enable the business to do their jobs without being crippled by cyber-attacks and unreliable systems or losing their trade-secrets to competitors. As soon as we stop enabling the business to produce better and faster, we become a liability.
Connect with Robb on Google+