Friday, March 7, 2014
To Achieve Good Security, you need to Focus on Business
In 2003, the Slammer worm shut down ATMs, call centers, even 911 emergency dispatch centers. People died. “We would finally get the CEO’s and CFO’s attention,” we thought again, and we were wrong again.
In the next 10 years we witnessed a succession of worms, Trojans and viruses shut down and compromise Department of Defense networks, banks and nuclear facilities. We are constantly told that our critical infrastructure is at risk: terrorists can take control of our railroads, power systems and other critical infrastructure. The time has finally come for management (and the world) to listen to us!
We had seminars and Gartner symposiums with CIO’s around the world. We have written whitepapers. Cisco, Symantec, IBM and 3com spent billions building or buying technology to stop the attacks and secure networks.
And… It didn't work. Nothing we did could stop the attacks. We made laws, fined people, and increased penalties for hackers. We held companies liable for leaking personal private data and made them pay millions in fines.
Then, we - and I speak here as a CISO with 20 years of experience – blamed the management.
Surely, it was the CEO’s fault for not understanding cross-site scripting, SQL injection, APTs and other risks associated with the Internet.
Maybe it was the CFO who didn't understand that it’s impossible to calculate the ROI of securing the network. So we tried to come up with a strange formula called Return on Security Investment (ROSI), but the CFO saw through this and called our bluff.
We had CISO and CSO forums, councils, worldwide meetings, whitepapers, and endless PowerPoint presentations - all to come up with programs to educate the CEO and CFO. We came up with simple marketing slogans like “self-healing network”, “Security Transcends Technology” and “Security is a process not a product”. Whole companies were created to teach the CEO and CFO.
But ultimately, the CEOs and the CFOs weren't the problem – we were: CISOs, CSOs, and VPs of Network Security didn’t understand business. We refused to see that ROI was – and has to be - the driving factor for the CEO and CFO.
We need to learn their language rather than attempting to make them understand ours. We need to understand senior executive management. We need to align our priorities with theirs. It is not our job to lock down the network, keep the hackers out and prevent data loss. That should be a side effect of our real priority and a unique and valuable side effect that only we can achieve.
Our real priority is to help our $750 million company become a billion dollar company. We can’t stop running with scissors - we have to run faster and we need to make them sharper.
Too many failed security initiatives cost the company money and have had little or no effect on the ability to protect company property or client privacy. In some cases they actually hindered the company mission.
Consider the TSA in the United States. Their mission statement is “Protect the Nation's transportation systems to ensure freedom of movement for people and commerce.” So, have you flown lately? How is your “freedom of movement” at the airport? There is a 3-year-old girl with spina bifida in a wheelchair that will never threaten the transportation system again, because she is terrified to enter an airport after her experience of “freedom of movement”.
Most IT security initiatives have taken their eyes off the ball. They focus on “prevent” when they should focus on “enable”.
We need to add real value to our company, showing that a properly run security and privacy group can reduce costs, increase customer and user satisfaction and drive revenue. We need to take some courses in finance and learn about CapEx and derivatives. We should live with the following six financial terms stapled to our foreheads (or at least on our screen savers): Bottom Line, Gross Margin, Fixed versus Variable Costs, Equity versus Debt, Leverage, and Capital Expenditures.
Once you understand the priorities of the CEO and CFO, you can prioritize security budgets. Now you have the advantage, because you understand both the security implications and the financial implications. If your security initiative breaks the bank, or makes people want to drive (to a competitor) rather than fly with you, you have failed.
Keep things in perspective; keep your eye on the ball. You can become the most important member of your firm’s executive management team if you can achieve this.
(Originally published on net-security.org, Monday, 29 July 2013)