It’s been a while since Richard Stiennon and I worked together, and I’m learning one of the more enjoyable aspects of blogging is the opportunity to pick on him again.

In a post today over at Threat-Chaos Richard states,

Most of the premise of this week’s Security Standard conference in Boston appears to be that CIO’s, CSO’s and IT security practitioners have to treat security as a business process just like any other. My perspective is that treating IT security like a business process is like treating a tactical military strike force as a business. While maintaining the capability of military forces could be a process open for improvement by applying some business discipline, actually fighting battles and overcoming opposing forces does not have much of the “business process” about it. Security is much more akin to fighting a battle than it is to “aligning business objectives”.

I admit I have a penchant for taking analogies a little too far, but I think comparing IT security to a military strike force might be a bit much. Sure, some of us have short haircuts and we like to talk in acronyms, but the whole never-getting-shot-at thing is a pretty significant difference. And the occasional conference t-shirt isn’t nearly as cool as all the free military swag.

Richard is trying to make a valid point that tactical operations in security aren’t as amenable to business objectives and process as perhaps some other areas of IT. But I, of course, disagree.

Back when I was a paramedic and firefighter we spent an inordinate amount of time optimizing our processes for dealing with crisis situations (I’ve moved onto firefighting instead of the military since my 4 years in NROTC probably don’t qualify as hardened battle experience). It was only by turning crisis (battle) into process that we could manage the challenges of life or death emergencies. It’s all about process. From the algorithms of CPR to the steps of rapid sequence intubation. Without process you have chaos. The more efficient you are at process, the more you can operationalize crisis management, the more effectively you can manage incidents. And these processes are even aligned to business objectives- some small (don’t kill the patient too much) some large (retain capacity for multiple operations, manage resources).

Once everyday crisis is process it takes something really extreme to break operations and force you into incident management mode.

I define incident management as “what you do when you’ve exceeded regular process”. This definition is stolen from what we refer to in emergency services as a “Mass Casualty Incident”; which is anything that exceeds your current capacities. In IT security the more incidents you can manage through efficient process, the less you spend on a day to day operational basis, and the more resources you have available for “the big one”.

Security that isn’t optimized and aligned with the business is really expensive; and unsustainable in the long run. Even the Army can’t treat every battle as a one-off. It’s still all about business objectives… … and business is good.

(bonus points to whoever identifies the source of the slaughtered paraphrase I used for the title)