One of the toughest challenges we face as security professionals is proving the value of what we do. I mean, so many people have the attitude that basically,
“We get paid when nothing happens.”
And, to a point, that is true. If we’re doing our jobs correctly, then things will go smoothly. However, things going smoothly isn’t quite the same as “nothing happens.”
What we really mean to say is that “nothing bad happens.”
Because if we’re doing our job correctly, in fact, EVERYTHING happens. All the stuff that’s supposed to happen anyway.
The customers see things they can buy.
We take their money.
We protect their information so they feel safe though to buy again.
We give them products and services that meet or exceed their needs…
…so they buy again.
That’s what it’s all about—even when the “buying” doesn’t involve cold hard cash. Sometimes it’s emotional. Sometimes it’s giving time. Other times it’s giving information. Sometimes it’s giving expertise.
Whatever our customer’s are “buying”…well, that’s the stuff we need to figure out. We need to understand why they buy, and we need to understand exactly what happens through the whole process.
That doesn’t sound like “security” to you?
Oh, but it is. Because security is about protecting and enabling the delivery of value to a customer. So if we don’t understand what that value is, then there’s no way we’re going to be able to hitch our security star to it.
Which is exactly what we need to do.
If step 1 is understanding the value our organization’s customers actually buy, then step 2 is being able to identify, prioritize and manage all the potential ways that value might not be delivered.
Ultimately, we can’t do this without understanding the concept of risk and being able to reliably and repeatably assess that risk in a way that links our world to the world of the business—which, of course, ultimately links it to the worlds of our organization’s customers.
If we get the right risks, and we have the right connections, then it’s actually pretty easy to demonstrate that a failure to do X could result in a potential lack of Y.
However, another problem we have is we don’t have the right risks. Well, we might have the “right” risks identified, because those are the only ones we know we can manage…
…but we have them at the wrong time…
…or we’re trying to tell the wrong people about them.
Of course, we need to understand the overall exposure to a zero-day vulnerability in one of our core, public facing applications…
…and we need to be able to estimate the amount of damage that could result, in terms of either ongoing compromise of our environment or in an exposure of the data encoding the information of our organization and about its customers (because “loss” isn’t the right word most of the time).
But outside our world, what does it really mean?
What’s the difference to the organization between 10,000 and 10,000,000 data records being exposed?
Our internal customers see this kind of stuff in the news almost every week, and yet…the organizations are mostly still in business, and (mostly) customers who were impacted are either
- right back buying the next day with a newly-refreshed credit card, or
- they’re pretty-quickly replaced by new ones
The challenge is connecting the dots. The challenge is making it relevant.
So, the real challenge is to connect and calculate the value of bad things in our world to bad things in the worlds of our internal business customers to the bad things that could happen in the worlds of our external customers.
That’s really what doing risk assessments is all about. And that’s why there’s 4 different types of them, done at different times, and in slightly different ways, depending on which question you’re really trying to answer at which link in the overall traceability chain.
To figure out what they all are, how they’re related, and how they unlock the ability to demonstrate and communicate the value of what we do, you might want to check out the May issue of Archistry’s paid, print newsletter, Security Sanity™, where I lay all this out and help you avoid getting lost in the details and focus on what questions really need to be answered.
But, you only get it if you’re subscribed by the deadline at the end of the month, and the way to do that is by visiting this page:
There’s a risk that you might already know everything I’m going to cover. But there’s also a risk that you might not.
As always, it’s up to you to decide. But don’t wait too long. There’s only 6 days left.
Andrew S. Townley
Archistry Chief Executive