What started as a response to Antony Burke’s recent blog post, morphed into a challenge to an industry, which I believe has failed in many ways. The main failures being in accountability and frequently, in its fiduciary responsibility to business and government. I’ve been mulling over the problems in the security field for a while and thought I would offer some feedback in a few of the areas I think could use improvement. Some of the reasons why people cut corners in security within an institution have to do with the lack of metrics, the absence of accurate risk analysis and as Greg has pointed out in past shows (and I agree with him) pure arrogance. I’ve witnessed all of these within organizations, and then hear security professionals lament the absence of budget or support from senior management. The first two take time and effort to prepare, but if you really care about security in your enterprise, then it’s worth doing. The last one is harder; because it means changing the way we work and want to be perceived in the world.
As IT professionals, we should be held accountable to quantify the threat to an organization, because that is the solid evidence needed to justify the budgetary expense in any sound business model. We can’t keep using security risk as a “Boogie Man” lurking in the shadows in order to frighten management into increasing our budgets. Yes, metrics gathering and risk analysis are about as exciting as watching congress on C-SPAN. We’d all rather be doing the sexy stuff in security like pentesting and reverse engineering. The other stuff is BORING, right? But if you want to get and keep a budget, metrics matter and risk analysis is critical to determining priorities. If we don’t create and align a security strategy with the rest of IT, then why should we be surprised when we aren’t included as participants during the decision making process?
As to my other point, arrogance, I’ve spoken about this before. I’m constantly flabbergasted by the behavior of so-called professionals in an industry, which frequently relies on scare mongering tactics and bullying to achieve their goals. Not that I haven’t witnessed this in other areas of IT, but it seems more egregious to me in the security field because there’s so much at stake. The advice I offer is the same I would give to anyone delivering critical information. If you want to be heard, you first have to listen to the needs of the individual sitting across the table from you. I encourage everyone to cultivate core competencies of emotional intelligence such as; self-awareness, self-regulation, empathy and leadership. I think this is a harder shift to make, because security professionals like to see themselves as rebels and non-conformists. But this attitude won’t get you healthier budgets or respect in an enterprise. Fostering collaboration is imperative if we want to build good business relationships. If we try to remember that technology and our jobs only exist because of the business instead of the other way around, then we’ll be better at our jobs. Security is everyone’s business, time to put the egos away.