Risk without Romance

Risk without Romance

Why do smart companies ignore good advice about security?

It is a popular belief that security departments are seen by their parent organizations as mere cost centers, necessary evils, or mindless regulatory requirements. This belief is reinforced when budget requests are denied, and new responsibilities are piled on without concern for resource constraints. It often seems like Security and Safety departments speak one language, while the rest of the organization speaks another.  

That popular belief makes sense given the symptoms reinforcing it. But there is good news for those of us who work in risk:  Your organization DOES NOT WANT to see security as a cost center!  

Now the hard truth: If your treated as a cost center, it means your organization is sick. It is YOUR JOB to treat the symptoms, one by one, until security and the rest of the organization can work in harmony. 

Why do organizations hire Security Leaders?

Every organization, whether it is a business, a non-profit, or a government has a MISSION.  Founders, employees, owners, and elected officials spend their time, money and sweat to achieve that MISSION, and to build lasting structures that will continue to achieve that MISSION in the long run. Any dollar that doesn’t bring them $1.01 closer to achieving the mission is a dollar wasted. Any day spent distracted by low-importance, non-urgent work is a day lost on the road to the MISSION before the clock runs out. 

When an organization establishes a security department, they are dedicating dollars and days to activities that could otherwise be applied to directly achieving the MISSION. That means that security is much more than a necessary cost. You are a service provider expected to enable the MISSION. 

Organizations hire Security Leaders to enable their MISSION.

Therefore, you need to be intimately familiar with the organization’s MISSION, as well as the resources and processes required to achieve that MISSION. This is how you learn to speak their language. 

How do organizations expect security to enable their MISSION? If they knew they, wouldn’t have needed to hire you! You know that a proactive security program can protect critical resources, respond to crises, minimize losses, and provide valuable guidance. Know that these details are “security language” and your leadership is never going to speak that language. They can’t afford to, because a day spent learning security’s language is a day lost on the road to the MISSION. 

Why do organizations ignore Security Leaders?

The kind of people attracted to the security industry tend to be mission-driven people. This is a wonderful and rare quality that makes for meaningful work and meaningful relationships. A side-effect of this quality is that security teams tend to develop their own missions and then treat their mission as THE MISSION. For example, here is the first part (of seven!) of the mission statement for the California State University System: 

To advance and extend knowledge, learning, and culture, especially throughout California. 

-California State Universities

And here is the mission statement for the Information Security Department at Chico Stateone of the California State Universities: 

...to secure system and network resources, and protect the confidentiality of student, faculty, and staff information.

-Chico State Information Security Department

These two missions are almost diametrically opposedIf you take the view that the security team is a service provider expected to enable the MISSION, then there are only two paths to reconciling the security mission with the MISSION: 

      1. The organization must educate itself on security practices enough to only ask for the services that “secure network resources” in a way that does not preclude the advancement and extension of knowledge.” 
      2. The security team must understand how their protection activities impact the advancement and extension of knowledge.” 

The wonderful book The Phoenix Project elaborates on this conflict and how it can go wrong in detail by following John Pesche the fictional CISO of a fictional company being transformed from sickness to healthBut don’t take my word for ithere’s CISO, Paul Love’s “aha moment” realizing the need for a unified MISSION. 

“As a 20-year security veteran, John’s [the CISO in the book] totally selfish ‘my way or the highway’ attitude actually made me physically mad. Who did this guy think he was anyway? Why was [the author] painting the infosec practitioner in such an unflattering light?

After finishing the book, I took a moment to look back on my career. Thinking of all of the people like John who I’d run into and worked with over the year I realized, with a little bit of terror...I was John.

It wasn’t until 2004 that I truly internalized that security is a part of the business, not against it... In order for the business to succeed, we’ve got to realize that Security and the rest of the company are not at odds. It’s crucial that we learn to work together.”

-Paul Love, CISO

Treating the Symptoms

From here the outlook may seem bleak but there is light at the end of the tunnelThe sickness is identifiable, namely The Catachresis of Risk TerminologyThe symptoms are clear: 

    • It feels like Security speaks a different language from the rest of the organization.
    • Security is treated as a cost center. 
    • Security budget requests are denied without alternatives or acceptance of the implied risk. 
    • New responsibilities are piled on without consideration for available resources. 
    • Security’s mission is independent and/or at odds with the organization’s MISSION. 

If you treat these symptoms, you will measurably improve the health of your organization. So how do you go about doing that? 

Start by being consistent in your own language.   

    • Know your organization’s MISSION inside and out and understand how your departments activities affect that MISSION. 
    • Make your security and risk vocabulary second nature:  
        • Know your assets and their relative importance to the MISSION 
        • Know what threats target those assets 
        • Know each component of your security program and the value it provides compared the costs to maintain it. 
        • Whenever you are asked about an asset, threat, measure or cost, you should be able to answer in the same way, using consistent language.  
    • Then start to learn the organization’s language. Your organization is never going to learn to speak “security,” but they likely speak “risk and opportunity.” You need to learn to put your security needs in terms of risk.

Once you build the habit of being consistent in your own language you can start on the symptoms: 

    • If Security is seen as a cost center, start reporting on the value of security alongside costs. Costs are important, don’t ignore themBut costs alone do not show the whole picture of how security investments help achieve the MISSION. 
    • If Security budget requests are denied without alternatives, start providing your own alternativesInclude a quantifiable measure of the risk that will be reduced along with the budget requestedProvide contextual comparisons between the risk that is currently being reduced and the budget that is currently being spent. 
      • I know some security directors at the highest level of maturity that accompany every budget request with a rejection signature saying that the signee accepts the additional risk delta represented in this requestThis builds an audit trail, in the organization’s language, about who is making decisions that affect the MISSION. 
    • If Security is the dumping ground for an ever-growing list of responsibilitiesBe ready to ask what parts of the existing security program they would like you to stop doing to make room for theseBe ready to speak to the value and cost of each pieceBetter yet, provide your own alternative on the trade-off and how it will affect the organization’s risk picture. 

Great, more work you don’t have time for. . .

The work of treating these symptoms is complicated but not complex. It requires diligence and consistency in the face of resistance, but no single piece is beyond your abilitiesHowever, the scale of it all may be beyond your patience.  

Fortunately, consistent, complicated tasks are ideal for automated solutions that aid you in organizing your security and risk vocabulary and track the metrics that will be critical for speaking the right language to the rest of the organization.  

Quill is a purpose-built tool for security teams to cure the sickness that is keeping your organization from achieving its MISSIONMake your next assessment a permanent assessment, that will make it possible for you to provide the services your leadership needs, with the resources you need to deliver them.