Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

In Vino Securitas: Comparing Security Intelligence and Wine Intelligence

You decide to eat at a restaurant that not only gets good reviews, but is highly recommended by a few of your friends. The menu is extensive and you and your lovely spouse or date pick out an entree that you can almost smell just by reading the description. The server–or sommelier if the restaurant has one–recommends the perfect wine pairing, a South African Sauvignon Blanc that brings some minerality to the party, complementing the shrimp with a coconut lemon glaze. Then comes the bad news: the restaurant is out of the very wine they just recommended.

You decide to eat at a restaurant that not only gets good reviews, but is highly recommended by a few of your friends. The menu is extensive and you and your lovely spouse or date pick out an entree that you can almost smell just by reading the description. The server–or sommelier if the restaurant has one–recommends the perfect wine pairing, a South African Sauvignon Blanc that brings some minerality to the party, complementing the shrimp with a coconut lemon glaze. Then comes the bad news: the restaurant is out of the very wine they just recommended.

Security IntelligenceAside: Just so I don’t lose those of you who aren’t enophiles (that’s E-N-O-phile, also oenophile, n, one who appreciates and enjoys wine; one who collects wine), fans of craft brewed beer, scotch, or even fine tequila (not the lick-shoot-suck tequila, the ones you want served in a small snifter with a few drops of mineral water to release the fruit, spice, and smoke characters), substitute what pleases you.

What’s missing is a dynamic and context-driven wine menu, or maybe an all-encompassing restaurant menu, say on an iPad. These inventions do exist, and I say finally!

The reality is that we have enough technology to instrument just about every facet of daily life, both business and personal, and we should be looking for means to employ the data in a way that makes sense to the our customers, both internal and external.

One of the problems with the information security industry is that we tend to message for ourselves. We talk about vulnerabilities, exploits, hacktivists, tokenization, hashing, and a whole vocabulary rivaling the breadth and richness of the Klingon dictionary, to describe the “what” and “how” of information security. We forget that our customers often don’t speak the same language.

So who are our customers? Our external customers are the people or businesses that buy our product. Our internal customers are the business itself. Largely, our external customers don’t need messaging about our information security practices aside from contractual commitments that we are PCI compliant if we accept credit card for purchases of goods and services, that we are HIPAA compliant if we’re considered a business partner, SOX if we’re a publicly traded company, etc. We know how to answer those security questions: the common language is already defined by the regulations or contracts. And when we’re discussing security outside of contracts, we’re usually having the dialog with peers at the customer or partner organization, and we let them worry about how to up-message to their management.

Up-messaging to our internal customers is a different story. This is where we seem to fail at making the security case compelling all the way to the boardroom. Boiled down to an oversimplification, CEOs only care about two things: increasing revenue and lowering costs. They don’t want to know about the cool new application layer firewall that was just installed or that one-third of machines are infected with Stuxnet, but it’s dormant and not a threat. Executive management are our restaurant patrons; they just want to know the perfect food and wine pairing and be assured that both are available.

Let’s call this “Wine Intelligence”, analogous to Business Intelligence (BI). The pairings, inventory levels, staff attendance, table saturation and customer turnover speed, are factors that measure and forecast business success. Risks may be regional weather, transportation, the economy: a harsh winter in California drives vegetable prices through the roof; a hot growing season in Côtes du Rhône makes the wines more bold but shorter-lived; political unrest in South America cuts off supplies of tropical fruits and vegetables; a bad economy means less patrons and less expensive meals and wine; a good economy means a smaller pool of service staff and a shift of negotiating power.

In security we consider this broad view of risk as a part of Security Intelligence (SI). While most of the risks in the wine example are supply chain management, business operations are also critical factors: threats against our intellectual property from competitors or treasonous insiders; threats against information assets by cyber criminals or hacktivists; fraudulent activities against e-commerce or banking portals. None of these in and of themselves are directly useful to the boardroom, but they do feed into BI.

Advertisement. Scroll to continue reading.

In fact, that’s what we should be shooting for: SI providing not only the visibility and context from the street level, but as a medium for percolating the information up into BI feeds and incorporating it into BI executive dashboards. Governance, Risk, and Compliance (GRC) solutions bring this visibility to the CISO, Privacy Officer, Risk Management team, and other management responsible for information security and provides the data that lets the CISO answer the question, “Are we secure?”, when asked by the board.

So while it’s generally the CISO’s job to translate information risks to business metrics, the more everyone in information security management starts thinking about the “why” of security and not as much–or maybe in addition to, depending on your day-to-day responsibilities–the “what” and “how”, the better decisions we can all make as a team. If nothing else, we’ll all understand that the ultimate goal is for our customers to enjoy a supreme dish and flawless dining experience, all paired with the perfect wine.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture