Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

The “So What?” Factor of Information Security

While There are Exceptions, Most Business Executives View Security as a Necessary Evil…

While There are Exceptions, Most Business Executives View Security as a Necessary Evil…

I have met a number of highly qualified, talented security professionals over the course of my career. I have also had the good fortune to witness some of those people accomplish a variety of amazing things within the information security space. So it may come as a bit of a surprise that when people demonstrate or present their work to me, I often ask them, “so what”? Allow me to explain.

As information security professionals, it is tempting to become enamored with the beauty or elegance of a technical solution, analytical technique, or investigative outcome. But we must remember that we live in a business world. It may be somewhat hard to believe, but to most of the world, security is essentially a black box. Stuff goes into the black box and other stuff comes out. What happens in between is often regarded as a bit of an enigma. While that may a bit of an overstatement, it is certainly true that security as a profession or business function is not particularly well understood by outsiders.

IT Security Tools and TechniquesThis is all the more true in an enterprise setting. In an enterprise setting, security is viewed as an investment, or perhaps more accurately, as an expense. Executives invest a certain amount of money in security to manage and mitigate risks to the business. This is an important point to understand – while there are exceptions, most business executives view security as a necessary evil. The cost of a security program is certainly non-trivial. But the cost of not having a security program or of having an inadequate or immature security program can be far higher. That cost is typically measured in financial, legal, or public relations (PR) damage to the organization, its reputation, or its brand.

It is within this context that the “so what factor” becomes so important. Let’s take the case of building a successful security operations function as a working example. Say we go before our executives to request budget to build or enhance our security operations function. To a security professional, the need to perform the following (high level) steps may be clear:

• Establish a clear vision for the security operations function

• Assess the risks and threats to the business

• Develop goals and priorities for the security program based on those risks and threats

• Hire and retain the right people

• Develop and continually improve a mature security process at both strategic and tactical levels

• Identify gaps in visibility and implement technology to address those gaps

• Develop alerting content based on risks, threats, goals, and priorities

• Established a unified work queue populated with high fidelity alerts, creating a high signal-to-noise ratio

• Ensure a smooth operational process with adequately trained staff

• Establish required communication channels with key incident response stakeholders

• Integrate actionable intelligence

• Build information sharing relationships

But if we present our case in this manner to someone who is not a security professional, we will likely receive the response: so what? What that response tells us is that there is a misalignment of what we see value in and what our audience sees value in. But why does this disconnect between the security professional and the business executive exist? Well, for starters, in technical fields, our plans are generally laid out to address logical or functional issues. To us, this is a sensible way to go about things – for every operational itch, I need a way to scratch it.

What we have to remember is that non-technical people see the world differently. They view security as a budgetary expenditure that is somewhat of a mystery, and we must tie our budgetary requests and our strategic plans to business use cases that resonate with our audience. This is not an easy task for a security professional – it requires looking at the world in a way that is not entirely natural for most of us. But, if we do it properly, we have the potential to communicate our goals, strategies, and plans to an entirely new audience that can provide us the budget to achieve them. That has the potential to bring a tremendous amount of good to the organizations we dedicate ourselves to.

Let’s revisit the case of building or enhancing our security operations function, but this time, let’s formulate our argument based on points that resonate with our business audience. This will vary depending on our specific business model of course, but let’s give a few illustrative examples of points that address issues that may be on the mind of business executives. This time, we take the angle “we need to build (or enhance) our security operations function in order to”:

• Prevent theft of payment card data

• Identify compromise and fraud of critical assets (e.g., money movement servers)

• Detect and respond to breaches and theft of sensitive, proprietary, and confidential data before they cause financial, legal, and public relations damage to the organization

• Gain client and partner trust and confidence through a mature security program

At first glance, it may seem like we are leaving out a lot of important information, perhaps most importantly “how” we will accomplish these things. But that is the point – information that is not necessarily going to be absorbed and internalized by our audience or that resonates with them is essentially superfluous to the discussion.

Of course, we should always have our full plan ready, at various levels of detail, in the event that we are asked for it. As technical people, it is our natural tendency to want to include every relevant piece of information. But to non-technical people, what’s relevant to the discussion is drastically different. This is an important point, but one that is quite difficult for security professionals to internalize – it’s simply not a natural way of thinking for most of us.

I hear a lot of security professionals beating the “people aren’t listening to what we are saying” drum, but how many of us have taken a step back to think about whether or not we are delivering the message incorrectly? It all goes back to mapping security issues to business use cases.

If we are successful in our communication efforts and we obtain the budgetary resources we are after, our executives will soon want to measure the effectiveness of their investment. We should be sure to use meaningful metrics relevant to the risk and threats faced by the business to evaluate ourselves, rather than meaningless metrics. This is a very important topic, and one that I intend to address in a future column. Until then, think about the very important role we all have as the messenger.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.