One of the subtler challenges of security is actually knowing the scope of your job. And it’s made trickier by this “cyber” hype disease we’ve collectively caught as an industry over the last few years. I think it’s actually sort of a function of the crisis of definition over the roles in a security program I talked about in the July issue of the newsletter, because if you think there’s a talent crisis…
…you’re gonna wanna be the peacock with the jazziest, brightest and shiniest feathers to attract all those unicorns out there.
So we took our security programs, and we made them sexy…cyber-sexy.
But in fact, that actually did two things:
First, it meant that all the years of trying to convince “the business” that security was about more than technology and protecting IT assets sailed right out the window with the baby and the bathwater.
Because “cyber” means tech, because it’s weaknesses in the tech that get exploited so all your coveted customer information is streaming out of the datacenter with a whoosh of an illicit data Hoover.
So, we need to protect the tech and forget about the rest of it.
And second, it meant that since the focus was now all about playing Whac-A-Mole with threat-intelligence feeds, we get threat-based instead of risk-based security decision making.
If you add this to an organization that’s a bit challenged about the whole risk thing, risk ownership and how much risk they’re really willing to much on a daily basis, then it can end up being pretty dysfunctional.
…and then, we get highly technically-focused individual knocking on the doors of the executives and asking them about their “security requirements” like we talked about before, and you’re dead before you even start.
Instead, what we need to do is start talking about risk, which means we need to understand what that risk is to the people we’re trying to help.
And it’s also gonna mean that we need to talk to the risk they have in relation to the information the business manages and how much they’re gonna get done on any given day.
But to your average propeller-head, threat-whacking security engineer, it’s pretty hard. Now, I know you’re not one of those people. You’re different, because you actually understand it’s not just about the technology.
However…you still might not have the tools and the confidence you need to speak to the executive team or a line-of-business owner in their language.
Enter the September issue of the Security Sanity newsletter. We’re going to talk all about those things, and my goal for the newsletter is to give you the tools you need to:
- Make sure you’re speaking to the right people
- Get the information you need to truly enhance your security program, and
- Establish constructive and collaborative relationships with your security customers
I know that seems like a lot to pack in to just a few pages, but that’s what I’m going to do.
So if you want it, head on over to this link and subscribe today: https://securitysanity.com
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
