One item that comes up a lot in conversations is how security teams or IT teams struggle to speak the “business language” to business leaders, mainly to members of the senior leadership that make the final decisions on spending and investments.
This problem could have its roots in IT, and later security, teams historically having their management lines within the accounting department, ultimately being accountable to the Chief Financial Officer. Regardless, there was a massive potential for adversarial relationships between IT and business. Most often we have seen this attributed to poor communication skills, from “too technical” of responses to misalignment with the holistic organization.
While the majority of departments that make up organizations do not live in a binary world of ones and zeros, accounting and IT generally do. It’s on or off, controlled or not. The world that sales, marketing, customer relationship service & support, human resources and others live in is one of nuance, inference, emotion and flexibility. Therefore, I’m not confident this is simply a miscommunication problem – communication is definitely a start, and it's where I would begin my investigation, but it's not where it ends.
Take monthly vulnerability management
, for instance. Is taking key systems down for patching generally a minimal impact event? Probably, unless that activity is executed over the last weekend of each month and quarter when busy salespeople may be working weekends or evenings to input customer orders or close key deals to drive revenue. This is just one of a number of situations that cause tension.
Take the situation when organizational execution runs into an IT or security team's “we always patch on the last weekend of every month” routine. Sales may be upset with IT and/or security. Whereas IT and/or security is of the belief they are doing a great job, they are meeting the vulnerability management SLA. Tension. Anger. Hate. Distrust. All disastrous to a relationship and long-simmering issues fester.
Cybersecurity aligned to business goals
What if there was a group of folks whose mission was to justify the IT or security team’s actions and who were able to base these needs upon the organization’s appetite for risk? What if it was this group’s or individual’s job to drive and communicate the proposed activity in concise business-friendly language to those departments that are not aware of the specific IT and/or security matters? There is. It’s called a Cyber Threat Intelligence (CTI) analyst.
Simply put, a CTI analyst is able to bridge communication gaps by being aware of unique IT, security and business requirements. It’s my belief that proper communication of “facts” that impact the business' risk tolerance will move an organization to adopt a more business-friendly – dare I say “agile” – relationship between those departments. Those who at best treat IT or security disrespectfully and who at worst are filled with contempt will be able to feel a sense of ‘being heard’ as a result.
To put it another way: You may need an analyst that lives in a world of possible risks whose job is to explain the “what” and the “so, what” to all the other departments and executives to answer their exasperated question of “why?”
Make no mistake: a CTI analyst will be tasked with aligning the challenges in communication language, figuring out the business risks, and ultimately determining what actions are needed to mitigate those risks. All with budget, priorities, and even individual department needs. The keys to this business, IT and security relationship are communication and awareness above all else. They will balance the knowledge of both sides of the business – what are the “crown jewels,” and what are the controls used to protect them?
Part of the CTI analyst role may be hearing the internal needs and trends, but an even more valuable part is keeping their ear to the ground and being aware of the industry-wide trends and risks. This is where the ‘threat intelligence’ piece of the job comes in, that is, recognizing the ever-changing threat landscape and seeing how this can affect your organization as a whole and as well as individual departments.
Good CTI analysts are made, not born. In most cases, intelligence analysts are trained by government agencies, law enforcement or the military. But, someone passionate about communicating and justifying disruptive business action based on a creditable threat to the organization will go a long way in reducing the friction between IT or security and the other businesses that think they live in the “real” world. They will have the training of the ‘real world’ view, technical knowledge and industry best practices, along with the business focus of your distinct, and they can use all of this information together to create a holistic and robust strategy.
Ultimately, this role is not a simple "zeros and ones, patched and not patched" mindset. It’s not even red team blue team. The CTI analyst role reaches to a depth beyond how you might traditionally view an analyst because they’re specially skilled on the technical side, on the human side, and on being able to see trends that might otherwise go unnoticed.
About the Co-Author
: Ian Thornton-Trump, CD is an ITIL certified IT professional with 25 years of experience in IT security and information technology. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013. After a year with the RCMP as a Criminal Intelligence Analyst, Ian worked as a cybersecurity analyst/consultant for multi-national insurance, banking and regional health care. His most memorable role was being a project manager, specializing in cybersecurity for the Canadian Museum of Human Rights. Today, as Chief Information Security Officer for Cyjax Ltd., Ian has deep experience with the threats facing small, medium and enterprise businesses. His research and experience have made him a sought-after cybersecurity consultant specializing in cyber threat intelligence programs for small, medium and enterprise organizations. In his spare time, he teaches cybersecurity and IT business courses for CompTIA as part of their global faculty and is the lead architect for Cyber Titan, Canada's efforts to encourage the next generation of cyber professionals.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.