Change the Tone

Introduction

Strolling down the aisles of the one of the world’s largest security conferences, it occurred to me that while much has changed in the world in which we practice information security, not much has changed in the way which we market ourselves, our technologies and services. The Japanese definition for the word crisis is comprised of two words, danger & opportunity.

I see the “danger” as the commoditization of the information protection profession. This quandary is further compounded as corporations begin to outsource the Security Operations Center (SOC). If you would have asked me 5 years ago about the outsourcing of the SOC, I would have bet against it. Now, corporate America is considering outsourcing incident response and breach management — the Holy Grail of our industry – in an effort to improve the bottom line. Once these functions leave US soil, you can trust that audit and compliance are sure to follow.

However, as bleak as this may sound, there is “opportunity” in this equation as well. The opportunity is for information security to become more in sync with the businesses we support. We need to be perceived as enablers of the business, not impediments to success and growth. But how do we seize this opportunity?

It’s Time for a Change

We need to stop selling tools which claim to resolve all regulatory woes; stop using flashing emergency lights to advertise our products; stop selling more security or technology than our clients need and most of all, we must stop peddling Fear, Uncertainty and Doom (FUD).

We spend far too much time and money figuring out how to protect everything we own and very little time figuring out what exactly needs protecting.

Most corporations which sell security products are stuck in this model. They end up with internal lines of business fighting against one another to capture revenue at the expense of properly servicing their customers. Nowhere is this dysfunction more evident than in corporate internal risk groups. Executives don’t know where to turn for advice when they have operational risk groups, compliance groups, information security groups, and Internal Audit groups — all seeming to perform the same functions of asking questions, pointing out risks and peddling fear! Admittedly, I know of a few companies who “get it”, but the concept of convergence is rife with political obstacles and protectionist road blocks.

Risk will always be there. We must move beyond pointing it out just for the sake of getting attention, to actually figuring out how to become a better business while embracing the inevitable. We spend far too much time and money figuring out how to protect everything we own and very little time figuring out what exactly needs protecting. If we can try a different approach maybe management won’t stick their imaginary finger in their ears every time they hear the word risk. We have to shift from being the security guard at the gate to become the conveyor belt in the factory.

A seat at the table

We must also consider the fact that we are a cost center and we will always be a cost center (unless we sell security technology) and as such, we will always be a very large line item on the annual budget. Once we get over our obsession with FUD, we will begin to look at the businesses which we support and determine where we can eliminate process for process sake, thereby increasing our efficacy and profitability. Our goal should be to get an invitation to have a seat on the Board and other executive management planning sessions because we are a partner to growth not an obstacle.

A new Lexicon

It all starts with the terminology we use. We need to bury the words like Risk, Regulatory and Compliance and replace them with terms like process support, value relationships or performance management which empower and enable the accomplishment of corporate goals. We must look to our peers in Marketing, Accounting, Sales and HR to see the verbiage and visual aids which they use to support the business. By changing our tone to an enabling one, we will be able to participate in discussions involving the growth of the business.

Just Say NO!

At the risk of sounding cliché, it is incumbent on us to do a few things:

1. Just say NO to FUD!
2. Change the tone from a negative one to a positive one.
3. Resist the urge to use fear and regulation as anything more than a bullet point on your presentations.

If we make this shift, we might just be in a position to save ourselves from ourselves. I am pleased to announce that I have had this conversation with numerous people from our industry and a good number of them have reached the same conclusion. Even if the sky does fall, business still must go on and our job is to ensure that it does with minimal interruption.