Tuesday, October 24, 2006

Strategic Security

The folks over at CIO Magazine did an interesting article on the state of security in the enterprise. Overall, the numbers were pretty disappointing even though they don't surprise me -- a significant number of enterprises that I talk to want to have security, but they also want it in an enumerated list that can be tested with a series of check boxes. Got FIPS?

For a product manager, this is great. It means I can run down a list of certifications that I need to hit and make sure that I pass them. FIPS? Check. Common Criteria? Check. ICSA? Check. The list goes on -- but boy do they make writing product requirement documents easy. I think for my next release I'm just going to shout a bunch of RFCs and certifications across the building. Much easier than, you know, doing work and stuff.

But for a product marketing guy worried about the message he's trying to send, the fact that the enterprise hasn't figured out how to align security with their business means you're always chasing after a tight budget. Sure, security budgets are growing, but just as fast as you see head room over anti-virus, firewalls, and IDS', you've got anti-spyware, anti-malware, and personal firewalls. Endpoint security from the big guns literally require a dedicated isle at my local Fry's Electronics store. And if you haven't been to a Fry's in Silly-con Valley, let me just say that this is a store that's big enough to have a dedicated section for vacuum cleaner air filters and half an isle of various breadboards. Handy should you ever feel like hacking your vacuum cleaner.

In short, my homies over in the security department need to suit up and learn how to make a business case. The bottom line for any money spent in the company is how does this either save more money or make us more money? Nebulous fearmongering about botnets coming to take away your bandwidth
carry about as much weight as Weird Al begging you to not download this song. Until security teams succeed at aligning security needs with the business' goals, we're just not going to see security become any more important than the cost of buying a couple of licenses for anti-virus software and maybe a firewall.

2 Comments:

Anonymous D. Berger said...

You say: "Until security teams succeed at aligning security needs with the business' goals, we're just not going to see security become any more important"

I disagree - I'd say "Until businesses face actual consequences and have accountability and liability for poor security, we're just not going to see security become any more important."

In other words, poor security isn't just "family business" that can be swept under the rug, if affects your customers. Once your customers - be they individuals (as in the case of a bank, say) or other companies - can hold you responsible for poor security practices, *then* there will be incentive to do more than just talk about it.

9:31 AM  
Blogger Steve Shah said...

d. berger said: "Once your customers ... can hold you responsible for poor security practices, *then* there will be incentive to do more than just talk about it."

There lies the challenge -- if the business understood security issues to begin with, we wouldn't need security focused teams. The business, for lack of a better understanding, sees security folks as a cost center to "keep bad things out" and that's all. They are about as tactical as the guard at the front door.

The security team needs to be able to communicate the goal in terms the business can understand and that almost always boils down to dollars and cents. I've seen this task done at a financial shop where the CIO demonstrated how looking at security strategically addressed both the liability issues as well as a product faith issues (how do we get more people to use the web site?) in one shot. Dollars and cents...

4:58 PM  

Post a Comment

<< Home