Here we are at the cusp of a New Year; and I’m looking back and waxing philosophical. I’m thinking that paradoxically, having a lot of painful, expensive, high profile breaches actually advanced the state of security, and risk management. A cursory glance across infosec headlines in 2010 and 2011 is covered in highly publicized breaches (Sony, RSA, etc.); at the same time, they are the year of renewed interest in Risk Management and CISO roles. Both RSA and Sony publicized the hiring of CISOs post breach; and shared conversations about Risk Management.
Why didn’t this happen sooner? People in the security industry have all known for years that breaches will occur. Likely not the details around them, or the timelines; but that this was going to be an increasing reality. But, it feels like this was not an embraced fact of life by executive teams until it started happening. A lot. With large, and sometimes personal executive consequence.
In the second half of 2011 there have been lots of articles and papers about how compliance (done with the right approach) is a step toward better security. How CISO roles are expanding. How it is not enough to have an IT Security department in isolation for businesses to make good decision, they need to up level and comprehend risk. People who measure these things are saying that there’s a lot of interest, and that security spending will increase in 2012.
These are all great conversations, and great strides forward for the security of our companies, our customers and us. But weirdly, they didn’t happen at this pace prior to breaches being in the news. They didn’t happen when it was considered a “theoretical” risk to companies trying to save their pennies during a less than bullish economy. If we assert that there is more interest going into 2012 in spending in security; when you look at the current economy; it’s clearly not merely bull or bear that drives overall security / risk investment. Given that the last two years have been the steadily escalating noise of breaches in the news and executives incurring direct personal impact from that; I think that was a significant element to helping our ongoing conversations move forward and get richer. That’s why I think we owe breaches a thank you for getting us reengaged at the top levels, and broadening and deepening our conversation.
Breaches appear to have driven security and risk management from a mid level management function back up the stack into the executive offices. Executives require discussions of security be in the language of business; which is risk. The growth of risk officers help facilitate the necessary conversations about what tradeoffs a company is making, in a larger context. I also think both more CISOs, Risk Officers and high level risk assessment are all good things. The up leveling of the conversation from just “IT Security protects us from breaches” to the concept of active risk officers who drive conscious decisions about risk and the acceptance that we can’t protect everything all the time (as much as we all want to). I think we’re starting to really drive a vision of risk and security that don’t drive us away from technology, but toward smart promotion of using the right technology, security to the best of our evolving security and risk knowledge. I raise a toast to breaches for helping us move here.