Blog

In Violent Agreement

By David Mortman

My Friday post generated some great discussion in the comments. I encourage you to go back and read through them. Rocky in particular wrote an extended comment that should be a blog post in itself which reveals that he and I are, in fact, in violent agreement on the issues. Case in point, his first paragraph:

I think we’re on the same page. As an industry we need to communicate more clearly. It wasn’t my intent to fault any information professionals as much as I’m hoping that we all will push a bit harder for the right conversations in the future. We can’t just let the business make poor decisions anymore, we need to learn their language and engage them in more meaningful dialogue. We’re yelling in the wrong language. We just need to put that effort into learning their language and communicating more effectively. How is it that we can read HEX in real time but can’t converse with a MBA at any time?

Read the last sentence again. It is that important. This is something I’ve been fighting for for a long time. It’s not about bits and bytes and until we get that through our heads, the rest just doesn’t matter because no one in command will listen to us.

Rocky closed out his comment with this though:

What would IT security look like if we spent as much time on those thoughts as we do on compliance tools, dashboards and monitoring?

I think it’d be much more business centric and hopefully significantly more respected in the C-suite. What do you think?

No Related Posts
Comments

>>
One former employer was firmly convinced that their customers didn

By ds


One thing that might help is changing the economics of the game. Young people don’t buy insurance because they experience fewer medical issues (except for dumb asses like me that were always in the ER). Business units currently don’t pay for the losses they incur- that’s centralized into IT/security.

If we have charge backs for response costs related to incidents, that might shift perceptions (I did an “anonymization of losses” post on this a couple weeks ago).

By Rich


@ds

Great analogy and great point. Perhaps the question is how can we raise awareness or increase pressure so the pain is felt earlier. Sometimes the pain is already there and the execs just don’t know about it. One former employer was firmly convinced that their customers didn’t have security as a hight priority, because they were talking to the wrong people in the organization. So I told them who to talk to, and what kinds of questions to ask to better elucidate the customers needs. Suddenly it became clear that there was a need that was just unnoticed. Similarly, often corporate lawyers are focused on IP, HR and business law and don’t have the time to track new compliance/regulatory issues. By doing that myself and raising awareness on the early side it enables to business to start preparing earlier which means they can be more effective and more competitive.

Or in the case of things like integrating security into the SDLC make the organization aware of the potential benefits so they can start tracking costs of out of cycle patches and shift when the pain point gets too high. Which is what seems to be happening with college age kids. The pain point of not having insurance has yet to outstrip the pain of getting and maintaining insurance for instance.

By David Mortman


David,
I was having a conversation around this notion at dinner, and one of the parties had a really good analogy involving the youth and insurance. 

The gist of it is, college students in their 20’s don’t tend to buy insurance since they don’t feel they need it.  No means of marketing or message manipulation has seemed to change this perception, even by those who are very effective at marketing other products to this same demographic.  That same group begins to accept the need for insurance when they begin to need medical care.

In fact, it is so extreme that in the new health care plans working their way through the Gov’t, there are criminal penalites being proposed for those that don’t buy in. 

In other words, external factors force decisions.  We merely like to think we had a hand in the game. 

Sound familiar?  No matter how much we massage the message, they aren’t buying until they feel they need security (sure is easy getting buy in after a breach, isn’t it?  Did the message change?) or if they are forced (regulatory compliance, anyone?)

By ds


@DS

“What really needs to happen is that the business needs to invest time in understanding security, and we need to work together to create a common language.  It isn

By David Mortman


While I mostly agree, I think the problem is slightly different.  For example, a lot of people think the solution is to speak in terms the business understands, such as risk or whatever else.  This thinking only further illustrates the problem.

What really needs to happen is that the business needs to invest time in understanding security, and we need to work together to create a common language.  It isn’t a matter of us learning theirs or they ours. Until the business takes the problem seriously enough to invest mindshare in understanding it, we’ll go nowhere.

By ds


I couldn’t agree more with the statement about speaking with MBAs.

On my bedside table is a book entitled “The 10-day MBA” for exactly that reason. Why? Because I don’t have an MBA, but need to be able to interact with business in a language they can understand.

It also provides me something almost, if not just, as important, a view into the mindset of the people I am trying to influence. If we don’t understand what motivates and constrains the actions of others, we are going to have a very hard time figuring out the best method of guiding them to make decisions that include the concerns we have as information security professionals.

-Kevin

By Kevin Riggins


I will add a left uppercut to the violent agreement here.

As a pretty non-technical guy I am always amazed at how so man of my more technical security brethren speak security at the business and are shocked when the “communication” goes awry.

There are days, in fact, when I feel like I’m in the movie ‘Office Space’ doing my version of “I take the requirements from the customers and give them to the developers!  I’m a people person!”

Good posts and great comments.

By Armorguy


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.