In the vast majority of organisations for whom I’ve provided guidance, the security departments are seen as something to work around, not alongside. In not one of those organisations was security actually seen the critical and intrinsic-to-the-business asset is can, and should be.
While I have written incessantly about this all being the CEO’s fault for not creating the necessary culture, the fact remains that most security professionals do themselves no favours. However good intentioned our actions may be, most of us completely miss the point. Like it or not, our entire existence is predicated on achieving the following:
“To provide the business with all the information, and as much context, as we can to enable them to make the best decision they can.”
Yes, that may include decisions that we in security would consider completely unacceptable, and would likely never make ourselves. It also may even include decisions that turn out to be really bad ones, but that’s just as much our failure as theirs.
The bottom line is that if we cannot speak the business’s language, if we are unable to convince them of the risks, we have failed them. There is no room for towering egos or hubris in security, it does not matter what we want, it only what the business needs. This will never be our decision, and we should never expect the business to speak our language.
I’m not saying that if you’re a cybersecurity professional that you have to say yes all the time, but you should avoid saying no whenever possible. Frankly, it’s not your job to do so. And as much as we would love to believe that as security experts we’re here to help, and that we have the best interests of our clients at heart, we will never be anything more than enablers. What’s more, if we’re anything less than that, there’s little point in having us around.
In the movie Office Space, one of the most cringe-worthy moments was when Bill Lumber reveals the “Is this good for the Company” banner. I remember laughing at the ridiculousness of the message, and laughing again when our hero tears it down. Almost 18 years later, here I am expounding the exact same message as that banner.
Because in security, we rarely have enough knowledge of the company’s big picture to put our guidance and recommendations into the right context. Even if we know that the company’s long-term goals are, unless we sit on the board we are in no position to appropriately address the risk appetite. A Sword of Damocles scenario to us, may well be a necessary gamble to keep the business competitive.
That leaves us only 2 things to do:
- Explain risk in the format they respond to best; detail the impact of not doing what we suggest; provide suitable alternatives; and
- Cover your arse by having THEM sign-off on the residual risk.
The business does not need our approval to proceed with even the most egregious risks, but that does not mean we have to like it. Legal have far more power than we’ll ever have, but even they have to compromise. That said, we are fully entitled to document our objections as part of the final sign-off, but we should never take this personally.
As a corollary to the last paragraph, never, EVER say “I told you so”! Given that it’s likely partially your fault that senior leadership didn’t make the right decision, your only focus should be to help mitigate the negative impact. Take the high road, you’ll be employed longer.
In the simplest terms, map everything on your Risk Register to the business’s goals, and only worry about the things that impact them. Doing the right thing in security is rarely, if ever, measured by security metrics, it’s measured by the company’s success.
[If you liked this article, please share! Want more like it, subscribe!]