Speaking the "Language of Security"
Recently, I've come across a spate of articles discussing the need for security professionals to "speak the language of the business." This phrase has been used often to describe the underlying reason that CSOs and CISOs are not considered strategic partners to the business leadership (Taylor Armerding's recent article in CSO summarizes the situation rather nicely.). Sure, we can all do better at dumping the professional technical jargon (and this has gotten much better over the past decade); but even as we summarize risk tradeoffs in plain English, we Warriors of the Light are still met with this biting (and trite) criticism regarding our inability to communicate with out most important constituent. When I've asked senior business professionals what "the language of the business" means to them, I've gotten inconsistent, nebulous answers. The best answer I received regarding this topic came from a former CEO who came up through the finance ranks. "The answer is dollars," he said to me. "Until you can tell me with absolute certainty what not patching that system will cost me in dollars, or what the absolute risk in dollars will be of not giving you a new tool or another body, I will always question the truth of your calculus." This calculus makes us slightly different from our IT brethren, who can link their costs more directly to revenue via availability and/or new business.
A hard truth, to be sure. Our profession will continue to struggle against this perspective. This truth will become harder still as the scrutiny of senior leaders and even the Board of Directors increases around security issues due to external regulatory and consumer pressures. Yes, we security professionals still own the bulk of the communication challenge…
…but we do not own it alone.
While I applaud, support, and participate in the efforts of the security community to bridge the communications gap -- and let's be clear, it is our gap to bridge -- it's time to address the other side of this equation: the business itself. Communication, by definition, is two-way. While it's incumbent upon me to learn the language of the environment in which I operate, it is equally important for our business brethren to understand and appreciate some of the equally hard truths that exist within security's operating space.
Here are some hard truths that security professionals would like business leaders to understand:
I Don't Want to Be Your Top Priority. I recently heard a former storied CEO and current board member of several prominent tech companies say, "I want to know enough about security to know that we are okay, so I can go on to the next marketing problem." Frankly, I feel this attitude and approach is healthy. He hired a CSO to take security off his mind. If that CSO does his job correctly, the CEO's concerns will fade considerably. There are, however, some upfront costs to that approach. The CEO and CSO need to work together to decide how to depict data in a manner which resonates with his concerns. My tools and processes can measure dozens of data sets, but what are truly the best way to show the amount of work it's going to take to defend the network? Or the daily normalcy of attacks that occur (and our success rates against them)? As your security professional, I will work hard to determine the correct metrics to depict an appropriate understanding of the landscape, as well as a holistic picture of our security posture…but this will take some trial-and-error and some back-and-forth between us. Be willing to make the time for that collaborative discussion, as I am truly terrible at mind reading Just ask my wife.
While I Don't Need You To Agree With Me, I Do Need You to Listen To What I Have To Say. Contrary to anecdotal opinion, I'm not an alarmist. The sky is not falling, nor are the evil hacker hordes storming the gates RIGHT NOW. If I express a concern about a business practice or operational decision, don't dismiss me as a paranoid zealot who sees disaster around every corner. Just like business leaders, security professionals hone their craft over the course of many years. Our understanding of risk issues is as valid as a business leader's understanding of market opportunities. Give us the courtesy of your focus when we express a concern, even when we can't necessarily present data analytics. Be aware that sometimes empirical data only becomes clear in the aftermath of an event, versus being a predictive indicator.
Compliance is Not the Same Thing as Security. Too often businesses hire security professionals either (a) in the wake of a breach; (b) to stay ahead of regulatory demands; or (c) to appear 'focused' on security challenges due to external pressures. Nothing wrong with these incentives in the slightest, but the mindset of the business in these situations tends to be focused on staying ahead of regulatory/compliance issues versus addressing security needs. Actions which address truly securing the environment but which aren't explicitly stated as a regulatory requirement are seen as excessive or needless. We still run up against this quite a bit in companies seeking to meet PCI-DSS requirements; many business clearly see the need for a control applied against their credit card data, yet struggle to see the need for similar controls against the petabytes of non-anonymized personal data within their environments. Businesses should be honest with themselves and transparent with their security professionals: if what you're looking for is just compliance, tell us. It'll keep us from banging our heads against the wall as we attempt to bring secure solutions to your enterprise.
Stop Asking Us "Are We Secure?" The security professional defines "security" as freedom from risk. No matter how good s/he may be, as long as its doors are open for business a company will never achieve a zero-risk state; stop expecting me to tell you that you will. This also applies to operational objectives such as "never being breached" or "zero operational impacts due to security events;" even if you gave me every dollar I requested in my budget, I could never guarantee you such absolute success. Now, asking me if our controls are up and running or how our controls/performance compares to others in our business vertical is fair and reasonable (though the latter may be hard to determine due to a lack of information sharing about security issues).
Let's Make Tradeoffs Together. The security professional's job is rooted in the principles of risk management. This means making hard choices regarding risk versus return. While we're comfortable with this, some circumstances do and will require additional resources in order to keep the risk at its current level. The business, not the security professional, makes the ultimate decision either to (a) reallocate resources, or (b) accept the risk. This is an important point to emphasize, because security professionals are facing multiple challenges in this area.
At the end of the day, the function of a business is to make money. Business leaders can be reluctant to acknowledge an increase in security risk, since risk mitigation may be costly and blame can be the market's first reaction in the event of an incident. Security professionals do understand the risk tradeoffs, and accept them as part of growing a profitable business. We need open, honest dialogue with you regarding risk tradeoffs.
I Will Support & Defend the Business, Regardless of the Decision You Make. Once I've been heard and we've discussed tradeoffs, I will support your decision and execute it to the best of my ability. Your decision to accept additional risk does not give me a free pass to let bad things happen in the environment. A security professional will always fight to keep the evil hacker hordes from storming the gates, regardless of the risk decisions made. Period.
While the bulk of the communication burden rests with the security professional, I believe business leaders also have a responsibility to come to the table ready for an honest, open dialogue. Not wishing to burden the company with costs not associated with direct revenue benefit is not a sufficient reason to avoid the expertise and knowledge your CSO brings to any discussion. Give him a listen - he might just surprise you.
My two cents…