You decide to eat at a restaurant that not only gets good reviews, but is highly recommended by a few of your friends. The menu is extensive and you and your lovely spouse or date pick out an entree that you can almost smell just by reading the description. The server–or sommelier if the restaurant has one–recommends the perfect wine pairing, a South African Sauvignon Blanc that brings some minerality to the party, complementing the shrimp with a coconut lemon glaze. Then comes the bad news: the restaurant is out of the very wine they just recommended.
What’s missing is a dynamic and context-driven wine menu, or maybe an all-encompassing restaurant menu, say on an iPad. These inventions do exist, and I say finally!
The reality is that we have enough technology to instrument just about every facet of daily life, both business and personal, and we should be looking for means to employ the data in a way that makes sense to the our customers, both internal and external.
One of the problems with the information security industry is that we tend to message for ourselves. We talk about vulnerabilities, exploits, hacktivists, tokenization, hashing, and a whole vocabulary rivaling the breadth and richness of the Klingon dictionary, to describe the “what” and “how” of information security. We forget that our customers often don’t speak the same language.
So who are our customers? Our external customers are the people or businesses that buy our product. Our internal customers are the business itself. Largely, our external customers don’t need messaging about our information security practices aside from contractual commitments that we are PCI compliant if we accept credit card for purchases of goods and services, that we are HIPAA compliant if we’re considered a business partner, SOX if we’re a publicly traded company, etc. We know how to answer those security questions: the common language is already defined by the regulations or contracts. And when we’re discussing security outside of contracts, we’re usually having the dialog with peers at the customer or partner organization, and we let them worry about how to up-message to their management.
Up-messaging to our internal customers is a different story. This is where we seem to fail at making the security case compelling all the way to the boardroom. Boiled down to an oversimplification, CEOs only care about two things: increasing revenue and lowering costs. They don’t want to know about the cool new application layer firewall that was just installed or that one-third of machines are infected with Stuxnet, but it’s dormant and not a threat. Executive management are our restaurant patrons; they just want to know the perfect food and wine pairing and be assured that both are available.
Let’s call this “Wine Intelligence”, analogous to Business Intelligence (BI). The pairings, inventory levels, staff attendance, table saturation and customer turnover speed, are factors that measure and forecast business success. Risks may be regional weather, transportation, the economy: a harsh winter in California drives vegetable prices through the roof; a hot growing season in Côtes du Rhône makes the wines more bold but shorter-lived; political unrest in South America cuts off supplies of tropical fruits and vegetables; a bad economy means less patrons and less expensive meals and wine; a good economy means a smaller pool of service staff and a shift of negotiating power.
In security we consider this broad view of risk as a part of Security Intelligence (SI). While most of the risks in the wine example are supply chain management, business operations are also critical factors: threats against our intellectual property from competitors or treasonous insiders; threats against information assets by cyber criminals or hacktivists; fraudulent activities against e-commerce or banking portals. None of these in and of themselves are directly useful to the boardroom, but they do feed into BI.
In fact, that’s what we should be shooting for: SI providing not only the visibility and context from the street level, but as a medium for percolating the information up into BI feeds and incorporating it into BI executive dashboards. Governance, Risk, and Compliance (GRC) solutions bring this visibility to the CISO, Privacy Officer, Risk Management team, and other management responsible for information security and provides the data that lets the CISO answer the question, “Are we secure?”, when asked by the board.
So while it’s generally the CISO’s job to translate information risks to business metrics, the more everyone in information security management starts thinking about the “why” of security and not as much–or maybe in addition to, depending on your day-to-day responsibilities–the “what” and “how”, the better decisions we can all make as a team. If nothing else, we’ll all understand that the ultimate goal is for our customers to enjoy a supreme dish and flawless dining experience, all paired with the perfect wine.