Christmas has come and gone and once again I am reminded of the almost inevitable separation of children from adults during meal times.
At the kid's table there is more food on the floor than on the plates. The rolls and casseroles fight for space with the robots and building blocks. What conversation there is is a mixture of shrill, ear-splitting screams or nearly incoherent babble. The “older” kids are too engrossed in their smartphones and iPods to share in a constructive discussion nor do they care to try and keep the younger kids “in line” and focused on the task at hand (namely eating).
As I look over at the “grown up” table I see something diametrically opposed to the kid's table experience. People are laughing and carrying on and having a good time yes, but at the same time they're accomplishing what they're there for; again, eating. The conversation, while boring at times, is almost always civil (I said ALMOST always), easy to track from beginning to end, and interruptions amongst participants, while present, are kept to a minimum. The area around the table is neat and tidy and the food is either on the trays, on the plates, or on the forks. The differences in the two experiences couldn't be broader. All of the above with the obvious exception of drunk Uncle Jack or crazy Aunt Jill.
What does this have to do with information security? Just this: there is always discussion among information security professionals about being unable to “get a seat at the table,” not being taken seriously by executive management or some similar complaint. I see two reasons for this:
1) “Security” professionals sometimes struggle with the idea that it's not good business to spend a dollar to protect a nickel, to them risk is risk and risk should be dealt with. What seems to be forgotten is that risk ACCEPTANCE is a valid response when mitigation or transfer aren't viable, warranted, or desired.
2) “Security” professionals focus too much on the tools and the tasks and less on the outcomes. Executives don't care about scanners and sniffers and firewalls. They care about making, saving, and/or investing money; hopefully wisely and ethically but that's a different blog. They want to be told about results not be yelled at about tool chains (FOOD FIGHT!!!).
Security professionals MUST learn to quit throwing our food at the executives when we don't get the responses we think are warranted. We have to learn to drop our toys, so to speak, and pick up our calculators. Otherwise we, as security professionals, are going to be relegated to the kiddie table for a long time to come.
Here's hoping that all three readers of this blog (hi Mom) had a Merry Christmas, Happy Holidays and Happy New Year.