When starting a new career, many eager security professionals think their job is simply to secure data and the network. Over time, they realize that strategy can be in conflict with the needs of the business. Their ability to help the business requires them not only to possess security skills, but also to listen to business needs and to provide appropriate solutions so that the business wants to act accordingly.
In an effort to better understand how security can better communicate with the business, I asked security pros who’ve been deep in the trenches for years, “How have you been unsuccessful communicating security to the business, and how did you turn it around?”
How have you been unsuccessful communicating security to the business, and how did you turn it around?
Here are their stories.
1: Fight for total victory on day one
“If you’re looking for total victory on day one, you may never move the needle at all,” explained Josh Corman (@joshcorman), CTO for Sonatype, who quickly realized early in his career that he should stop trying for a binary, only win, solution.
“When we tried to project our values on the stakeholders it led to suboptimal outcomes and failures,” admitted Corman whose I am the Cavalry movement is focused on changing security in many areas, such as the automotive industry.
“Best way to get what you want is to not focus on what you want, but focus on what the target wants,” said Corman.
Corman advises security professionals to look for common ground. Go in slowly by putting in some foundational elements. Once in place you’ll have the necessary permission to move to the second and third phases of your security hardening effort.
Be ready for the long haul, warned Corman. “True change takes time. If you only go after the low hanging fruit and quick wins, you’re only left with really hard problems.”
2: Explain all the technical risks
“Executives and board members are utterly disinterested in most things technical. They just want to stay out of the WSJ due to a data breach,” said Ben Rothke (@benrothke), senior eGRC consultant at Nettitude Group. “By using the language of business risk and staying away from the gory technical details, communication about infosec is almost effortless.”
In one case, Rothke was working with a financial services firm that did not want to encrypt certain traffic to various locations in the EU because the CIO felt that speed was the number one priority for traders.
Rothke offered an encryption solution that wouldn’t significantly impact bandwidth. That conversation went nowhere since the CEO had no interest in encryption whatsoever. Luckily Rothke was able to turn it around by shifting the dialogue to EU data privacy requirements.
“Once it moved from the technical side to the side that the CEO could be in violation of regulatory issues, the dynamic changed completely,” said Rothke.
3: It’s my job to eliminate all risk
“I talked in absolutes like these ports had to be closed and this process was too risky and had to be altered,” said Street who was constantly butting heads with the network team and upper management.
That’s because you can’t eliminate all risk. Risk is a part of doing business.
“In the process of protecting your employer from risk, make sure you or your team does not become part of the problem,” said Street. “Instead, I should show my employer the best way to offset as much remaining risk as possible so they could accept as little risk as they needed so they could conduct business.”
4: You’re trying to reduce risk, so I’m alerting you about risk
While working with a client, Hallas thought his job was solely to explain the risk. He relied upon middlemen, the sales team, to translate that risk into how that would affect business performance.
“I didn’t educate them why security was going to help them hit their KPIs (key performance indicators) effectively,” said Hallas.
Instead, Hallas just said they should implement security for legal reasons. If things go wrong it could potentially cause damage to your brand. Because they weren’t already worried about threats, that initial sales pitch didn’t work. If he wanted action, he had to focus on KPIs.
“Even if your thinking is right, you must align it with the audience’s needs and priorities,” said Hallas. “It’s not that it’s not right. It’s just that it’s less likely that it will be actioned.”
5: It’s not secure, so I can’t allow it
When the iPhone was first announced, security professionals reacted that it could never be used in a corporate setting because it simply didn’t have the security controls of the BlackBerry.
“No amount of corporate political willpower can push back the force of iPhone lovers,” realized Storms.
While Storms’ team put in significant technical controls to stop the flow of corporate data to insecure iPhones, determined users still found ways to get company information onto their new phones.
“We had to change our tactic,” admitted Storms. “Strong arm methods have limited capacity lifetimes. Eventually, people have to come together and learn to compromise. It made a lot of people remember that the goal of IT is to be a business enabler and that’s exactly what both IT and security had forgotten over the years.”
6: Impose “best practices” through rigorous documentation
“The idea of static security policies and procedures is almost orthogonal to the rapid growth of startup organizations. People do not want to document today a process that may change tomorrow,” admitted Michael Dahn (@MikD), co-founder of Security B-Sides.
While working for an agile and growing startup, Dahn unsuccessfully tried to document and impose best practices for formal security policies and procedures. Then Dahn discovered Atul Gawande’s book The Checklist Manifesto, which expressed the value of checklists for doctors, pilots, and construction workers.
“The way to both accommodate a startup culture and maintain security controls is to develop agile checklists rather than rigid processes,” said Dahn. “They act as a light-weight method to drive accuracy of activity while enabling the flexibility of creativity and change. People are much more responsive to the creation of a series of small checklists that ensure consistency than they are to long-winded policies that are more effective as book-ends than drivers of process.”
7: The network is suffering so we have to fix it
Spam is a perpetual problem. Not controlling it can have devastating effects on your email infrastructure, such as CPU, memory, and server disk space.
“I was making no impact. Business people don’t necessarily care about the impact a threat may have on the IT infrastructure,” said Honan. “I then switched tactics to talk about the amount of billable hours they could be losing to spam.”
Drawing on the whiteboard, Honan calculated it would take employees 1 second to deal with each piece of spam. He multiplied that times the number of spam. He then converted that to hours and multiplied it by the average employee wage.
“I managed to show the impact from a productivity and financial point of view the levels of spam were having on the company,” said Honan. “Investing in improving their spam solutions far outweighed the cost to the business of leaving things as they were.”
8: It’s a metric so you should pay attention to it
“The first report included some of the least useful numbers I can think of, such as percentage of emails sent TLS versus plain text, number of attacks blocked at the firewall, and security related calls to the help desk,” said Reck. “It was more of a ‘here's everything I can measure’ dump instead of actually accomplishing any objective.”
Reck’s metrics were met with utter silence since they had no impact on the company overall.
“That was the point at which I started working to create a model that communicated two things: the effectiveness of the controls in my program, and the impact of my program on the larger organization's bottom line,” explained Reck.
9: This insecure FTP server is going to take down our company
Before joining Tenable Network Security as a strategist, Cris Thomas (@spacerog) was working at a firm that had arguably the most insecure FTP site he had ever seen. Anonymous FTP logins were enabled, customers were sending mountains of PII, and all the files were exposed.
In a panic, Thomas immediately ran to the CEO, explained the problem, to which the CEO responded, “We don't build rockets.”
“It took me a second to realize that he meant that our company was not at risk of an online attack since we had no classified information,” said Thomas.
Now understanding they didn’t hold highly sensitive data, Thomas still tried to explain the problem to the CFO, but to no avail. It wasn’t until the CIO stepped in and offered a more nuanced way to initiate a conversation about security with the CEO. He explained the business impact of the FTP server and why it should be fixed.
“I learned why the CIO was the CIO, and I was able to learn from his example how to communicate and equate risk to non-technical people,” said Thomas.
10: Any security vulnerability is a disaster
Early in his security career, David Mortman (@mortman) received a customer call letting him know that his company’s product had a security vulnerability. Frightened at the possibilities, Mortman, now a chief security architect for Dell, ran to the CEO and VP of engineering to warn them of this “sky is falling” disaster.
“I got laughed out of the room,” admitted Mortman.
Mortman never explained why this bug was more important than any of their other bugs. Turns out this customer was the only one using the specific feature and it wasn’t a big deal to him. He was just reporting a bug to be fixed eventually.
“I didn't research the issue or the context of the issue well enough and I didn't understand my audience either,” said Mortman. “The next time, I came to the team with a proposal based on potential impact to customers and a relative risk ranking.”
11: It’s risky, what more do you need to know?
When Wendy Nather (@451Wendy), research director, enterprise security practice for 451 Research, was working for an investment bank, the head of equity trading asked her a risk analysis question: “If I plug in this modem, how insecure are we going to be?”
Nather responded, “I dunno. Five?”
Her trading colleague lived by quantitative risk measurements. While Nather was able to show different scenarios of risk with the modem, she could never arrive at a numerical answer that would satisfy her coworker. Today she is more cognizant of the need to show levels of risk, but it’s not easy. While she can envision the risk, she still has trouble (even after years of training) quantifying risk.
12: I’ll exploit the network to prove my point
“I used to think communicating security and effectively explaining the current posture was all about the exploit,” said Jeremiah Grossman (@jeremiahg), interim CEO for WhiteHat Security. “Show ‘the business’ that you—or anyone—could break through their IT defenses with speed and ease; do that and they’d instantly see the light.”
Grossman quickly learned this sales technique didn’t work as it was the equivalent of calling their baby ugly.
To get people to understand the importance of security he had to speak in terms his audience cared about, such as risk and money.
“The best way to find the right message is to simply practice,” advised Grossman. “Start with a single person in that department and try out your presentation. Use their feedback to hone your overall message, which is exactly how you should set their expectation. From that point, when done properly, not only did you improve your communication, but also gained an ally for future discussions that will follow.”
13: Here’s my security strategy, implement it
When working as the CISO for Providence Health & Services, Eric W. Cowperthwaite (@e_cowperthwaite), now VP, advanced security & strategy for Core Security, was tasked with creating a three-year security plan for the healthcare provider.
While he tried to do his due diligence, meeting with seven strategic business units, Cowperthwaite had neglected one business leader who was very concerned about how this new security plan would disrupt physicians’ daily work.
During one meeting, that business leader asked if Cowperthwaite’s new strategy meant doctors were going to have to perpetually change their passwords. Not understanding the gravity of the question, Cowperthwaite just said yes. Immediately the business leader went on a tirade of how Cowperthwaite didn’t understand the business or how to deliver quality care.
Dejected and ridiculed, Cowperthwaite had to bounce back from this negative experience. He took the advice of a colleague to spend a day in the emergency room, a day with home care nurses, and a day in surgery.
He said, “I learned an immense amount about how healthcare is delivered, and how computers and security often obstruct quality care, instead of supporting it.”
14: If SANS says it’s risky, we should worry about it
For years, Alex Hutton (@alexhutton), faculty member at IANS Research, would rely on SANS or CVSS or someone else’s perception of the likelihood of a negative action. In hindsight, he realized these recommendations often had little bearing on the real world situation his organization was facing.
“I've tried to turn these matters of IT health around in conversation by using an analogy almost anyone can appreciate,” said Hutton.
Hutton would compare infosec to personal health issues, such as smoking and wearing your seat belt. For example, the chances of death from smoking one cigarette or driving once without a seat belt are very small. But our health, like security, can be exacerbated if you compound the problems. For example, if you’re overweight, middle aged, don’t exercise, and smoke a pack a day, then your chances for survival are much lower.
15: It’s long, it’s painful, but it’s for your own good
In an effort to create a more secure environment for personal identifiable information (PII), Thom Langford (@ThomLangford), director of the global security office at Sapient, devised what he believed to be a thorough and “friendly” questionnaire that would both educate and gather the necessary data from a client’s employees.
Six weeks later Langford had only 13 percent completion rate, and much of that was from in-person interviews. Most people were turned off by the 150+ questions.
“Feedback indicated that they felt it was a waste of time and simply got in the way of them actually doing their work,” said Langford. “We hadn’t gathered the information and we had put people off listening to us in the future.”
Langford bounced back by reengineering the questionnaire to a maximum of 10 questions. His team got the data they needed and started a dialogue about PII. The program was a success, albeit two months behind schedule, and Langford got to keep his job.
Conclusion: Know your audience
Security folks often feel as if they live in a closed bubble. No one understands them. That’s true if they only speak the language of security. As you saw in each of these stories, security fails the business when a security pro doesn’t speak the language of the business, or they don’t take the time to understand how a specific security threat will affect the business.
The days of security surviving by scaring the business into reacting to potential threats are long over. Security professionals are more successful communicating their vision when they take the time to understand the intricacies of the business.
Creative commons attribution to West Point - The U.S. Military Academy, Marcus Sumnick, SmartSignBrooklyn, Australia - Department of Foreign Affairs and Trade, Mathias Klang, Sh4rp_i, U.S. Navy, and Sebastiaan ter Burg.