It’s been an interesting few days, folks. I’ve had more than a few conversations with people about the role of security, talking to stakeholders and how to actually understand the worlds of security. And one of the things that I keep tripping over is that people have a very tactical view of security.
Now, ok, I get that this is necessary. However, my argument is that it’s not the focus of what we do, it’s the details of what we do.
And the thing about details is that it doesn’t matter how brilliant the details…how fast you can pick the lock…or whether you can take over my MacBook Air.
In fact, I can’t do any of those things. I mean, I’m sure I could learn, but they’re not things that really interest me. There’s a world of other things in business, leadership, security, architecture, philosophy, psychology and human behavior that I’d rather focus my efforts on.
But that’s just me.
The point is that if you’re picking the wrong lock, or breaking into the wrong computer or protecting them, or chasing the wrong patch or crying wolf about the wrong vulnerability…
…at the wrong time
…to the wrong people
It’ll just kill your credibility.
“Oh, you start with the assets, then you get the threats and then…” was something I heard recently.
Which assets? The ones that you can kick?
Oh, you mean the ones that were obsolete before you clicked the “Buy Now” button on the latest, magic cloud information dispersal device with the click-through policy that says, in big, blinking, 40’ high, pink neon letters:
The supplier’s in charge.
Because they’re a supplier. They’re advertising the service that you picked based on whatever criteria—probably cost…maybe convenience…or maybe just so you could get your work done.
But are those the “assets” that matter to your customers?
Do you know who your customers actually are?
Do you know what you do for them—no, really, can you explain it in a way that they would understand?
How about this one: do you know what they value? Or what they’re trying to accomplish? Or what their motivations and constraints really are?
Do you understand when they’re likely to take bigger risks to get what they want—and, most importantly, why they would do that?
Hand on heart, I can truly say to you, you’re not gonna find the answers to these questions calculating the empirical financial value of a set of bits on a cloud storage service…or the dollars/fan revolution ratio of some rack-mounted piece of blinken-lights.
The only way you’re really going to figure out the answers to those questions…
…the only way you’re really going to figure out what you, the security professional, are actually supposed to be doing, to what degree, with what priority and where
…so that you truly enable the business
…enable the business to take the risks they need to take
…as safely as possible
…and enable the business
…to make informed decisions
…about the consequences of the risks they may face
…in both your blinkin-lighten, APT-wearin, socio-economic disruptor-infested world
…and in their word
…the world of business…
The ONLY way you’re going to figure out the real job you have…
…which ISN’T implementing 50 NIST standards in 50 days, BTW…
The only way, is by being able to successfully meet, to successfully engage, to successfully connect with, and to successfully understand the world of your customer.
How confident are you in your ability to do that right now?
How confident are you in your ability to truly understand the world of your customer?
…to know what motivates them…
…what scares them…
…how they think.
Maybe you are. And it’s possible. It’s not hard.
It’s just…it’s something most people don’t really do. Because it’s much easier to get all keyed up about killer cables, IoT hacks and being aware – and afraid – of all these brilliant people doing really awesome crazy things…
…and those things happening to you
…to your assets
…to your 1’s and 0’s
…to your clouds
…to your spinning fans
…to your kernels
You know that stuff. You live and breathe it.
It’s your world.
But your world is only a means to an end, and that end is what matters to your customer…to the business…to the organizations that pay your bills.
Can you really afford not to understand what they care about?
If you’re not sure, or you’re not confident that you can successfully understand what you’re really supposed to do in order to deliver risk-proportional, business-driven security,
I’d suggest you check out the upcoming September issue of the paid Security Sanity newsletter. It’s all about how you can better understand your customer’s world, and how you can understand them better…how you can build trust, credibility and respect with the non-technical side of the house.
And the only way to get it, is by subscribing via this link before it goes to the printer:
P.S. and yes, I know there’s a million extra spaces in this email. I have one of the “new, most-awesome-est-est” MacBook Airs with the most annoying and broken keyboard I’ve ever actually owned. This may be the machine I own for the shortest period of time, so I apologize. If you can’t deal with the extra spaces, have Siri read it to you or something… 😉