Let’s get straight to it: Contrary to popular belief, Information Security isn’t a technology, it’s not fundamentally about technology, it’s not even primarily technical.
Achieving a state of security requires thought, lots of it, based around thousands of technical, procedural, cultural, organisational, political, and even emotional elements, many of which are in constant flux and interrelated.
It’s important to note that the ultimate root causes behind security lapses, failures, breaches, ransomware, etc., are never technical. Never.
So why do most organisations insist on making security almost exclusively an IT matter? And why do most security leaders treat it as such and try to address issues primarily through technology, long after the failures have been initiated by other factors?
In the last 10 years I’ve seen a tremendous shift towards “detection and response”. It’s the “admission” by security professionals that we cannot stop breaches, that we cannot fundamentally secure organisations, and we must therefore invest massively in detection, mitigation, and response.
“Resilience”, in Information Security circles, is now a term used to define being able to get back up after being knocked down by an attack. But what if resilience meant not getting knocked down in the first place? Isn’t that better?
But let’s take a step back. How and why have security practitioners decided that we cannot fundamentally secure organisations?
Yes, it is theoretically impossible to perfectly secure something. But considering that most security teams are highly isolated in what is often a technology department or silo, with very little idea as to what is actually going in the business, how could they even get close to what is possible in terms of effective business-tailored protection (that goes far beyond IT security tools)?
If your security team doesn’t know what matters to the business, what the strategic direction is, what the revenue sources are, what factors influence them, or even which systems are used for what purpose (and that purpose’s commercial value), how can they possibly determine the optimal approach and resource allocation to best mitigate risk?
They can’t. And the fact that security is becoming an increasingly uniform and standardised technical function should worry us all, because it means that it is operating solely on the common denominator of IT systems rather than addressing the unique structure, operation, and culture of each organisation – something that is essential to understand in order to protect it proactively.
It means we are not playing a role in ensuring that businesses are secure from the start, instead chasing incidents in their IT systems.
It makes much more sense to build a house with sturdy walls, sturdy doors, and solid locks than to build a house out of paper and spend a fortune on alarm systems, crime scene investigators, and repairmen. Assuming the alarm even goes off, your ability to respond in time is always in question, and it’s both expensive and inefficient.
And yet this is the prevailing approach in security. One needs only look at the security job market to see a claimed shortage of millions of people, virtually all of which are reactive IT roles. Positions for individuals who actually build things securely are a tiny fraction of demand, and those who would focus on business alignment far fewer still.
This is potentially due to something as simple as lack of business and leadership skills in IT, which I believe is the real skills gap that needs to be solved in Information Security. The irony being that the technical skills gap would likely disappear if we addressed the leadership issues and considered things more holistically beyond constant technical band-aids.
But while security practices need reform in order to be effective, businesses also need to understand what a proper security function can achieve in order to drive change and bring in the correct leadership to establish such a function. It goes far beyond what most think.
So what can a security function achieve? Well, a reduction in information security-related business risk, obviously.
But what if we threw the risk equation out completely? While most security professionals would say everything they do is about risk, I believe the true value of a great security function lies elsewhere.
First, we need to establish that the level of protection offered by the current status quo approach to Information Security is vastly overstated. Let’s be real; does an approach where spending reaches record levels almost every year while, despite this, the incidents and losses increase exponentially seem effective to you?
Obviously not. The primarily “detect and respond” model will never be cost-effective, in fact its cost effectiveness is decreasing fast. As mentioned before, we need to focus on a proactive approach where we build things right to suit our organisations and how they operate, in a bespoke manner.
To do this well requires enormous levels of engagement with the business and thinking about how things work together, and that’s where things get interesting.
Setting this goal drives a mentality shift in security organisations. To be granted that needed level of engagement, of involvement, by the business typically means the security organisation needs to start being altruistic and delivering business value everywhere possible.
And that brings us to the second half of the equation: quality. The vast majority of security issues, whether it be unmaintained systems, missing patches, outdated platforms, poor code, process failures, overcomplication resulting in people cutting corners, etc. are not actually security issues. They are quality issues.
If you care about building a fundamentally secure business, you have to focus on quality.
Elegance of solutions, simplicity, visibility, repeatability, light governance, agility, cost-effectiveness, maintainability. These are all aspects of quality that will make systems and processes inherently more secure, cheaper to maintain, easier to monitor, and generally lead to a whole lot less to detect and respond to. It results in real security. Real resiliency.
It also means a better understanding of your business and IT capabilities and costs, and increases those capabilities, as well as your business’s agility.
Then there’s the fact that, while it’s a significant business enabler in terms of your technology, a security function doing its job holistically is one of the very few that crosses all departments and silos. This makes it uniquely placed to identify business, process, and cultural deficiencies as well as untapped synergies.
Finally, effecting change to culture, process, platforms and more should lead you to a point where environments are in a good state by default, not just after large remediation projects. This means not only operational savings, but that you can afford more transparency with your customers too, leveraging security as a differentiator from your competition and a selling point to your customers.
The cost? All of these additional benefits from a business-minded and truly holistic (beyond IT) approach to “security” (read: quality) should more than cover the cost of your security function and reap additional business dividends. It shouldn’t be a cost centre, it’s a visibility and, ultimately, a quality centre.
Oh, and it does a pretty good job at eliminating risk too.
Is your organisation on the road to becoming Mutable?
Click here to arrange a free 30-minute consultation with one of the Bloor Navigator team to walk through our Mutable Self-Assessment