Comments on: The Problem With Selling Information Security as a “Business Enabler”

By: San Rafael Plumbers

San Rafael Plumbers — Mon, 06 Sep 2010 08:06:00 +0000

Very well said, thanks for sharing your insight and I believe you all the way!

By: Bob

Bob — Sat, 31 Jul 2010 03:35:21 +0000

I have worked with a company that took security very serious. One of the selling points to potential clients “government” was they took the time to put infosec as part of the whole process in which they operate. I asked several clients what are some of the reasons they chose this company and a focus on security was a factor.

By: Matt McCright

Matt McCright — Mon, 30 Mar 2009 04:40:19 +0000

Analogies are tough. I have to build an "elevator speech" that can generate some productive attention from executives, but have had little success. It seems like there is still no effective replacement for building relationships with leaders, so that we reduce the need for one or another security ad campaign.

I believe that the most effective information and technology operations risk management today happens because of the joint efforts of serious information security professionals and leaders (formal and informal) across the various organizations that make up modern corporations in most fields today. Sure, execution of the day-to-day information and application security operations are still critical. But are they more noise without leadership and "connectivity" with the rest of business operations? Depending on the given corporate culture, this is less or more process-driven.

* Sometimes it is strictly a matter of personal relationships (a risk-elevating situation).
* In other situations, project processes link these communities for long enough to work out understandings and plans that may often facilitate effectively dealing with risks.
* Some organizations have broad and deep formalization of their organizational relationships, and the processes and information flows to maintain a shared understanding of threats, risks, controls & mitigations, current state, etc.

I believe that the first two situations above dominate, and that the third is an exception. As a result, what ever we do to support creation of a "risk-based enterprise website security strategy" or to find a new broad description of what about information security is valuable, it needs to be useful in those organizations that depend heavily on cross-domain relationships between serious professionals to prioritize risk management investments.

Get a new model for "selling" information security as an enabler, or a new enterprise website security strategy into their hands, and I believe that you will begin to get traction.

I wrote out a more fleshed out discussion of this notion at: http://completosec.wordpress.com/2009/03/28/what-is-information-security-and-how-does-it-help

Thanks

By: What is Information Security and How Does it Help? « Completosec Channel

What is Information Security and How Does it Help? « Completosec Channel — Mon, 30 Mar 2009 03:17:27 +0000

[...] pointed me to a discussion about information security as a “business enabler.” Daniel Miessler argued that: ‘Security isn’t an “enabler”; that line can hurt us. Security is about NOT doing [...]

By: joej

joej — Sat, 28 Mar 2009 06:14:19 +0000

Definitely. I'm with you on this.

I really do believe that, if infosec/security folks are doing a good job, then there is a gained efficiency (not just robustness, resilience, etc.)

One recent example:
Moving to field a DoD system to the field, we coordinated with the defense contractor to leverage Fortify SCA -- a manual code review would have been VERY costly.

This was focused only on the information assurance/security necessity (requirement, policy, etc.) - but they ended up loving its strength, got over their embarrassment at the kind of flaws that were in the code base and, in the end, moved to integrate this as part of their normal development & build practices.

End result: we saved (literally) millions of dollars (or) pursuing a waiver and fielding known-flawed code -- and we both got what we really can value:
- my organization gets improved quality/security and can oversee/audit a practice
- they get something that moves them forward more efficiently and keep us out of their shorts :-)

Nice win -- money and a practical, sustainable practice that dramatically affects what we produce.

==> I'd love to hear other, real-world examples of security + engineer/dev collaboration to produce successes.

By: Daniel Miessler

Daniel Miessler — Sat, 28 Mar 2009 06:00:40 +0000

I think this is in line with what I'm saying; it's a matter of quality ultimately, and security is a component of that, yeah?

By: joej

joej — Sat, 28 Mar 2009 02:27:05 +0000

If you don't perform basic "good health" engineering and development, then sure ... security is not an enabler. Security is one of those dumb, slow-you-down, "cross your Ts and dot your Is" anal retentiveness.

However ... if you worry about produce reliable, error free systems or software, then you include good practice, techniques, double-checks, etc as part of the dev/eng processes (called; "security") and you bring in some testing/external checks to ensure you didn't make obvious mistakes.

Looking at the Top-25 CWE list, repeated, low-level, obvious-to-spot and remediate (and abuse) flaws in systems and software ... I'm thinking this:

... The perception that security is a burden, comes bad practitioners: either security or the eng/dev folks on their team. Security is (again) not the problem, its a people problem.

By: cooperati

cooperati — Fri, 27 Mar 2009 05:00:04 +0000

re: Security as a “Business Enabler”;

i ask what about "risk" as an enabler? enabling is like opening doors, to enable, to make able, to create an opportunity to present your ability.

so, by opening that door, we enable, and we also take the risk also associated with it. to enable is to stick your head in a guillotine, to one extent or another. enabling is intrinsically risky. the two can go hand in hand.

security is, in opposition to risk, disabling. it defines limits of risk, specifically by disabling discriminately.

security does not open doors. it does not present opportunity. it frames ability with rules and protocols, trimming the field with limits and controls. thoughts?

i lack precision (for precise terms). but, philosophically speaking, security is not enabling.

so, you might ask, "What if you can't do a project unless security is in place?"

the project is the ability. security is the limits and protocols. boundaries, whatever you want to call it.

just saying "the project cannot proceed without security" is the first act of security disabling the action, coinciding with and reinforcing the definition.

thoughts?

By: Jon

Jon — Thu, 26 Mar 2009 22:12:16 +0000

I look at it like this. If you are a member of one of the companies line functions: design, production, sales, transportation, wholesale and retail, then you are a business enabler. If you are a staff function: legal, secretarial, custodial, PR, training, etc. then you are an expense. I consider security to be a staff function, but I may be wrong.