Security is My Business, and Business is Good

By Rich

It’s been a while since Richard Stiennon and I worked together, and I’m learning one of the more enjoyable aspects of blogging is the opportunity to pick on him again.

In a post today over at Threat-Chaos Richard states,

Most of the premise of this week’s Security Standard conference in Boston appears to be that CIO’s, CSO’s and IT security practitioners have to treat security as a business process just like any other. My perspective is that treating IT security like a business process is like treating a tactical military strike force as a business. While maintaining the capability of military forces could be a process open for improvement by applying some business discipline, actually fighting battles and overcoming opposing forces does not have much of the “business process” about it. Security is much more akin to fighting a battle than it is to “aligning business objectives”.

I admit I have a penchant for taking analogies a little too far, but I think comparing IT security to a military strike force might be a bit much. Sure, some of us have short haircuts and we like to talk in acronyms, but the whole never-getting-shot-at thing is a pretty significant difference. And the occasional conference t-shirt isn’t nearly as cool as all the free military swag.

Richard is trying to make a valid point that tactical operations in security aren’t as amenable to business objectives and process as perhaps some other areas of IT. But I, of course, disagree.

Back when I was a paramedic and firefighter we spent an inordinate amount of time optimizing our processes for dealing with crisis situations (I’ve moved onto firefighting instead of the military since my 4 years in NROTC probably don’t qualify as hardened battle experience). It was only by turning crisis (battle) into process that we could manage the challenges of life or death emergencies. It’s all about process. From the algorithms of CPR to the steps of rapid sequence intubation. Without process you have chaos. The more efficient you are at process, the more you can operationalize crisis management, the more effectively you can manage incidents. And these processes are even aligned to business objectives- some small (don’t kill the patient too much) some large (retain capacity for multiple operations, manage resources).

Once everyday crisis is process it takes something really extreme to break operations and force you into incident management mode.

I define incident management as “what you do when you’ve exceeded regular process”. This definition is stolen from what we refer to in emergency services as a “Mass Casualty Incident”; which is anything that exceeds your current capacities. In IT security the more incidents you can manage through efficient process, the less you spend on a day to day operational basis, and the more resources you have available for “the big one”.

Security that isn’t optimized and aligned with the business is really expensive; and unsustainable in the long run. Even the Army can’t treat every battle as a one-off. It’s still all about business objectives… … and business is good.

(bonus points to whoever identifies the source of the slaughtered paraphrase I used for the title)

No Related Posts

[...] does a fairly good job of answering Richard’s article, but at the risk of taking the comparison too far, let us imagine how a tactical strike force that disregards processes, and “alignment with objectives” might operate on the field of battle. [...]

By Military Strike Force

I also think it was used in a movie.  I have found several variations dating back to 1947, like a 50’s FORD ad "selling cars is our business…" and 70’s Sugar Ray Leonard "hitting is my business…"  But then again, if it’s on the internet, then it’s gotta be true.  Right?

By will

I think most are started to enable business.

That might be the source. Someone also thought it might be from a movie "Death is my business…"

Truth is I put the quote in hoping someone would identify it. I highly suspect you’‘ve nailed it, but I keep thinking it was also in a movie.

By rmogull

If there is one difficult problem in IT security that no one has solved yet is finding good analogies. I’‘d argue that some armed conflicts are started to "enable business". Incidentally, isn’‘t that where the title comes from? (Megadeth’s "Killing Is My Business.. - And Business Is Good!")

By max

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.