I usually agree with Jack Daniel. You know, we curmudgeons need to stick together. But one of the requirements of membership in the Curmudgeons Association is to call crap when we see it. And much as it pains me to say it, Jack’s latest rant on InfoSec’s misunderstanding of business is crap.
Actually his conclusion is right on the money:
In order to improve security in your organization, you need to understand how your organization works, not how it should work. [emphasis mine]
I couldn’t agree more. The problem is how Jack reaches that conclusion. Basically by saying that understanding business is a waste of time. Instead, he suggests you understand greed and fear, then you’ll understand the motivations of the decision makers, and then you’ll be able to do your job. Right?
Not so much. Mostly because I don’t understand how anyone understands how things get done in their organization without both understanding the business and also understanding the people. In my experience, you can’t separate the two. No way, no how.
I totally agree that everyone (except maybe a monk) is driven by greed and fear. Sometimes those aspects are driven by the business. Maybe they want to make the quarter (and keep their BMW) or perhaps they need to move a key business process to the cloud to reduce headcount. Those are all motivations to do security, or not. How can you understand how to sell a project internally if you don’t understand what’s going on in the business?
Your decisions makers may also have some personal issues that color their decisions. Could be an expensive divorce. Could be a sick parent. It could be anything, but any of those factors could get in the way of your project. Ignore the people aspect of the job at your own risk – which is really my point. A senior security position is not a technical job. It’s a job of persuasion. It’s a job of sales. And both those disciplines require a full understanding of all the factors that can work for or against you.
One of the key trends I saw a few years ago involved senior security folks coming from the business, not from the ranks of the security team. These folks were basically tasked to fix security, which meant they had to know how to get things done in the organization. These folks could just as well be dealing with operational problems in Latin America as with cyberattacks.
To Jack’s point, they do understand greed and fear. They may have pictures of senior execs in a vault somewhere, and then inexplicably get the funding they need for key projects. And they also understand the business.
Reader interactions
6 Replies to “How can you *not* understand the business?”
I can say there are definitely no absolutes. Everyone makes great points. Thanks to all that contributed to the discussion. There are definitely job levels (typically admin/junior person) where configuring a firewall or server is consistent, regardless of the business.
Which is really why my comments were done within the context of someone wanting to be on the management track. The reality is even lower level folks need to understand how to sell and idea and persuade folks, but to a lesser degree.
Mike.
Implementing security controls is all about understanding risk. Put the controls in the areas where you have the highest risk of loss over the absence of controls, and lowest risk from actually having the controls. In other words, do the best at preventing bad stuff while not impeding good stuff.
If one doesn’t understand how their organization stays alive, how does one know what to operate on? We as security professionals can’t attempt to fix every defect. There aren’t enough resources to fix everything, and “fixing” some things would mean unacceptable damage to the organization as a whole.
Unless one understands how their business runs, one can’t place proper value on processes and assets.
Ya know, sometimes I say stuff to wind people up…
And while understanding the industry you are in as well as the oddities of the org you work for may be ideal in some situations- that is not universal. I challenge anyone who understand the US auto industry to work in it; it is a case study in so many degrees of failure that a B-Movie-like “suspension of disbelief” is required to work in the business. Understanding that business is a detriment to day-to-day progress. I’m certain it is not the only such industry.
I’ve long been a believer that we spend too much time insulated in our security world, talking to other security people about security things.
Not to toot a really really old horn, but I was published on some methods to understand business processes and to work on securing them. http://bit.ly/17v5U2
The important thing is to understand what’s critical to the business first, and make sure that you’ve gone through those processes end-to-end to see if they are secure. That might involve people, process, technology, or (some people forget) facilities.
If you don’t really know what’s critical to the business– start with your DR plan. If everything goes down, then what does management say should be brought back up first? That’s probably pretty important to the business. At least, it’s a starting point for working through this with business execs.
Good piece. My $.02 (been doing this a lot, sorry).
What Jack Daniels missed in his article is that you have to (a) understand the business *and* (b) understand how the business really operates. You also need to think about how the business needs to operate to succeed. There is at least one gap analysis here that is absent in nearly every business with an online presence.
What you add – understand the people – is an intrinsic part of the above analysis and you rightly point out that the people factor is not considered often or deeply enough.
I think the key to Jack’s post (as you note) is “In order to improve security in your organization, you need to understand how your organization works, not how it should work.” and the key to yours is “A senior-level security position is not a technical job. It’s a job of persuasion. It’s a job of sales.”
I think the disconnect is that some people are of the opinion, I think, that every person who calls themselves an infosec professional needs to “fully understand the business”. Really? The dude taking your 2am call at the SOC needs to understand how your company cash flow cycle works or what motivates the CTO to make the decisions she makes? Pffft – that dude needs to understand basic infosec blocking & tackling and know how to implement the processes and procedures.
On the other hand a senior level person, to your point, needs to know how to Get Things Done. That person better understand how the budgeting cycle *really* works, which executives need to know about security initiatives and have bought into them, and (most importantly) have the stature/status to get meetings when needed to make their case. Otherwise they are wasting valuable oxygen…