I saw a thread recently where someone was complaining about Dave Kennedy making a hilarious inside joke on CNN without any of the participants knowing. Evidently people on Twitter said this is why InfoSec isn’t taken seriously.
Then someone else showed up with this reply, which prompted my response.
The reason information security is not taken seriously by the board room and other senior executives is because we cannot translate risk into financial terms.
Yes, being hacked is being taken seriously. And they’re certainly ready to throw some money at the problem in order to fix it (or look like they’re trying). But this isn’t the same thing as respect.
Most industries are able to talk about ROI. Sales, marketing, etc. You have a certain amount of spend, and you get a certain amount of return.
That’s missing in information security, and until that changes we’re going to be considered dirty mages with arcane powers.
They’ll keep us around, of course, but we don’t get to eat with them. Our kids can’t date their kids. Etc. It’s not real business because it’s not based on arithmetic.
So, yeah, we have a bad reputation for being mischievous and such, but that’s not what’s hurting us. Our real obstacle is our inability to have adult conversations about return on investment.
Until then we eat at the kids table.