There was an interesting piece of research released this week by Digital Guardian, which made a number of key points, the first being about the lack of a strategic view within many security functions.
I see this on a daily basis; the issue is exasperated by a number of issues and some unique to security, others are age old business issues that are never going to go away.
Let’s address the obvious first, the business issues that we are all very accustomed to: resources, money and customers. The very aim sited in traditional corporate finance for the existence of any business is to maximise value to its shareholders, therefore resources and finances are always going to be directed towards those areas of the business most likely to generate income or profits. We all see examples of this acted out on a daily basis: “Hey! How come sales still get to hire people and I have no security analysts left!?”
This is just something we have to accept. Equally, in order to generate those sales, organisations (the larger they are, the more obvious this is) will look to existing customers to dictate where to concentrate its efforts. If an existing and well paying customer tells you that the one thing they would most like to buy is an inflatable dart board, companies will find a way to get it done.
What customers are unlikely to ask for in the current climate (although I have seen exceptions) is real security. It’s not something that they want; it’s something that they feel ‘should’ be there. It is regarded as a back office function, something that needs to be inherent in a product or service but not a product, service or differentiator in its own right.
In my mind, the security specific barriers to providing a more strategic function come from the same place as many of our “New CISO” concerns. The issue is founded in our growth from a childhood based within the IT function; the hands-on operational role of a technical security function is something that has been around since the beginning and we were comfortable with the recruitment of networking or infrastructure guys who show an interest in security.
We were happy that we could find a group of technical guys who love to fiddle around with servers, hack websites, monitor IDS and configure windows policies. This issue is then compounded by all of the business issues that we discussed above fit in nicely with what we understand best.
Consider the business and security issues combined. Finances: What’s the minimum we can spend on security in terms of money and resources? A technical guy who can stop us getting hacked, what do our customers say? They’re happy if we don’t get hacked. Instant gratification and the business is happy. The problem with this is, in the words of Bruce Lee, “Its like a finger pointing towards the moon, do not concentrate on the finger or you miss all that heavenly glory”.
There is an absolute necessity to have an operational security function, but we must never forget the strategic planning and direction that exists within other business areas. The standard curve that is applied to technologyl companies during their lifetime, the ’S-Curve’ they teach in ‘CIO School’.
Eventually when a company hits the top of that curve, a new disruptive technology emerges that blows it out of the water and the only ones who survive are the companies with the strategic wherewithal to see it coming and address it in the correct way. A similar curve could be drawn for your s
ecurity function; too long without a strategic view and you’re going to get breached somewhere down the line. But of course that doesn’t matter today, does it?
So how do we solve this? Unfortunately, the conclusion of most my blogs is likely to be pretty similar, it’s “our” problem and “we” need to sort it. It falls on security professionals to champion the strategic approach. Justification shouldn’t be hard, just look at the speed of technology – a company or in this case a function who doesn’t keep pace will inevitably lose out.
Transitioning of (predominantly technology) controls out of the security function is something that has helped me to free up, or create, strategic resources within security in the past. For example, the article calls out anti-virus as a major spend for many security functions. The job of the security function, in my eyes, should be to identify the need and requirements for anti-virus, why should we own, manage or purchase it.
The sign of a mature security function is one that has embedded security in to normal business processes, when the infrastructure team builds a new server it has anti-virus on it as standard, security does not need to be a part of that until they conform that is the case at some point down the line. The ultimate goal for me is to have no budget at all; that will signal to me that I have woven security so tightly in to the fabric of the organisation that they instinctively include security within everything they do.
As with everything else, security is not the first to have this issue. Look for support provided by other business areas. If finance are pushing you for a 3-5 year budget forecast, you can not fail to need a strategic view to support that.
If product vendors are producing 2-3 year product plans, you need a strategic security view to future proof those ventures. Predictions and forecasting should not be the preserve of the sales function, security needs to do its “blue sky” thinking and future planning just as much as anyone else.
Craig Goodwin is a vice president of information security