Mrs. Y Throws Down the Gauntlet

What started as a response to Antony Burke’s recent blog post, morphed into a challenge to an industry, which I believe has failed in many ways. The main failures being in accountability and frequently, in its fiduciary responsibility to business and government.  I’ve been mulling over the problems in the security field for a while and thought I would offer some feedback in a few of the areas I think could use improvement. Some of the reasons why people cut corners in security within an institution have to do with the lack of metrics, the absence of accurate risk analysis and as Greg has pointed out in past shows (and I agree with him) pure arrogance.  I’ve witnessed all of these within organizations, and then hear security professionals lament the absence of budget or support from senior management. The first two take time and effort to prepare, but if you really care about security in your enterprise, then it’s worth doing. The last one is harder; because it means changing the way we work and want to be perceived in the world.

As IT professionals, we should be held accountable to quantify the threat to an organization, because that is the solid evidence needed to justify the budgetary expense in any sound business model. We can’t keep using security risk as a “Boogie Man” lurking in the shadows in order to frighten management into increasing our budgets. Yes, metrics gathering and risk analysis are about as exciting as watching congress on C-SPAN. We’d all rather be doing the sexy stuff in security like pentesting and reverse engineering. The other stuff is BORING, right? But if you want to get and keep a budget, metrics matter and risk analysis is critical to determining priorities.  If we don’t create and align a security strategy with the rest of IT, then why should we be surprised when we aren’t included as participants during the decision making process?

As to my other point, arrogance, I’ve spoken about this before. I’m constantly flabbergasted by the behavior of so-called professionals in an industry, which frequently relies on scare mongering tactics and bullying to achieve their goals. Not that I haven’t witnessed this in other areas of IT, but it seems more egregious to me in the security field because there’s so much at stake. The advice I offer is the same I would give to anyone delivering critical information. If you want to be heard, you first have to listen to the needs of the individual sitting across the table from you. I encourage everyone to cultivate core competencies of emotional intelligence such as; self-awareness, self-regulation, empathy and leadership. I think this is a harder shift to make, because security professionals like to see themselves as rebels and non-conformists. But this attitude won’t get you healthier budgets or respect in an enterprise.  Fostering collaboration is imperative if we want to build good business relationships. If we try to remember that technology and our jobs only exist because of the business instead of the other way around, then we’ll be better at our jobs. Security is everyone’s business, time to put the egos away.

Mrs. Y
Mrs. Y is a recovering Unix engineer working in network security. Also the host of Healthy Paranoia and official nerd hunter. She likes long walks in hubsites, traveling to security conferences and spending time in the Bat Cave. Sincerely believes that every problem can be solved with a "for" loop. When not blogging or podcasting, can be found using up her 15 minutes in the Twittersphere or Google+ as @MrsYisWhy.
Mrs. Y
Mrs. Y
  • http://packetpushers.net/author/ecbanks Ethan Banks

    In my experience, arrogance is (1) rooted in glories long past or (2) a cover for incompetence or personal insecurity. You might as well wave a red flag of fail.

  • Reef127

    Security people tend to think that security is the most important thing no matter what the business.   While security is important to every business, unless you are in the DOD or high level government, your job in security is based off a companies ability to make money.   To many security professionals lose fact of the sight that the company to provide services or goods.   Not to have the latest toys for vulnerabilities that in all likely hood won’t be targeted at their industry.

    The real wakeup should be for anyone who’s in network security to realize that they are there to serve the company.   Not to mandate policies and practices that hamper the company growth, or install products that make it almost impossible for people to do their jobs.

  • http://twitter.com/nkrypted Brandon Mangold

    Thank you.I have preached a similar message to my security counterparts. It boils down to the fact that we have to mitigate enough threat to justify the expense. Easier said then done however since the ability to quantify the threat in dollars can be a difficult task as well as the flip side of calculating the adjusted expense of said security widgets.