Been composing this blog for several months now, and it started when I was thinking about how superstitions begin; It’s bad luck to walk under ladders, or it’s 7 years of bad luck if you break a mirror for example. And then it occurred to me that these superstitions were probably the only way to scare children into, or out of, certain behaviour.
Walking under ladders, well duh, things fall OFF ladders, so don’t walk under them, and mirrors used to be really, REALLY, expensive, so telling children that breaking them would have horrific consequences makes a lot of sense (in a very negative way of course). I’m surprised that playing with matches didn’t become a superstition, but then again, household-use matches were not readily available until the 1800′s.
Unfortunately, these things have a way of sticking around long after the original cause is either meaningless, or worse, is twisted and perverted by those with a vested interest in the status quo. ‘Heretics’ were burned at the stake for suggesting that the Earth revolved around the Sun, and not the other way around*, and ‘witches’ were similarly killed in horrific ways when they suggested that herbal remedies were better than leaches and other forms of bleeding. Priests and Doctors respectively were very protective of their power.
Human nature has changed very little since then, only societal laws and the more progressive ‘norms’ keep the peace.
I have for years likened information security to insurance, in that no-one wants to spend money on it, but they know it’s a cost of doing business. And more recently I have likened security to the law, because it’s becoming so complex in terms of regulation / legislation / standards etc, that’s it’s often out of reach for the organisations and individuals who need it most.
Now I find myself likening security to superstition, because from the way we’re going, it won’t be long before being in security will have the same stigma as being a tax auditor, a parking enforcer, or a lawyer. QSAs are almost there already because the entire concept of PCI is so limited, but there is no reason true security professionals should not be seen in the same light as those responsible for driving revenue growth or competitive innovation.
Security departments are something people go out of their way to avoid, or to circumvent. They are seen as the department-who-says-no, who will stifle innovation and good ideas, and generally do the one thing that would label them heretics; get in the way of revenue.
Nothing could be further from the truth, as no other department has the knowledge and DESIRE to do the things that make staying is business possible:
- Innovation: It’s the 2000s, the vast majority of innovation now is in technology. Who else is best placed to pick the RIGHT technologies to ensure that innovation is implemented in a way that enhances the organisation and not just adds risk?
- Business Transformation: Competitive advantage in the information age is now measure in weeks and months, not years, organisations without the ability to adjust critical business processes quickly and appropriately will be left behind. What other department has the knowledge of exiting processes to enable the adjustments?
- Revenue Protection: Can you think of anything worse than seeing all your revenue disappear into the hands of regulators because your focus on selling failed to take into account that your processes for doing so were completely inappropriate. I understand completely the pressures, but revenue generation is not about doing what it takes, it’s about doing what’s right.
- Reputation Protection: I could have put this under revenue protection, but wanted to break this out as corporate reputation goes way beyond just revenue, and my OCD will not allow for an even number of bullet points. Damage of reputation through loss of data C.I.A. can have long-term negative effects on a business, just ask CardSystems who went from $25M / annum to out of business in less than 1 year after their breach.
- Infrastructure Investment Optimisation: OK, long title, but consider that the amount of money spent on PCI is already in the multi-billions, when a huge chunk of that could have been save by adjustments in PROCESS. Technology purchase is the last resort of a true security professional.
I really don’t have an answer to HOW we can ensure our reputations remain unsullied, and there are a lot of so called security experts out there giving the rest of us a bad name, but I think the worst thing to do is fall back one of the phrases I hate most in this world; “It is, what it is.”
Actions speak louder than words, and I will never stop trying to show my clients that security is something to be embraced, not avoided.
Forward this to all your friends or you’ll have 3 years of bad luck.