While listening to the 2012 Security Outlook presentation by the Information Risk Executive Council; they repeated a long standing industry concern – for a security person to be effective, they have to manage their reputation. In particular, people who advocate for security processes or spending have to avoid the perception that they want to benefit from Fear, Uncertainty and Doubt in any way. Unfortunately a discussion around APT style attacks sounds so like a spy novel plot that others could perceive it in a super negative fashion. That makes me wonder if part of the ultimate success of any security effort is more reliant on some particular security person’s ability in an organization to, per Guy Kawasaki’s word, “enchant”. Maybe, if that’s true, it’s even a good thing.
In the article, there is a lot of focus on a tenant that everything is, to some level, a sale. I think if you take that further, it can be a positive sale or a negative sale. For instance, the existence of auditors and audits is a bit of a negative sale today. Companies look at it as “either successfully pass the audit, or pay a lot of $ in some way.” This is something where we, as an industry of security professionals, missed an opportunity to turn the compliance sale into an industry and consumer positive. The sale of compliance could have been about how making it super easy to pass your audit gives your smart security people more time to focus on the higher level security things. Or that by achieving compliance comprehensively, you have addressed the Security 101 issues that plague other companies. Or that if you use compliance as a guiding spirit, you can produce an evolving security process that will always improve over time. Or even that you know you’ve gotten past that first hurdle of changing how you think done.
Maybe, the announced “death of compliance” is another opportunity for us to find a way to create enchantment in the security industry. If pundit’s are correct that nothing focuses the mind like the fear of extinction, this could be a golden opportunity. Reflecting on why a compliance based approach didn’t improve many companies security postures could be the opportunity to educate and enchant decision makers on the benefits of going beyond compliance-is-good-enough. Maybe the heart of how we continue to grow investment and engagement in security; is in telling the story of success – and not for the vendors, for the customers.
What does success look like to a C-level executive? What does it look like to the folks in operations? We can tell that success story, both in long term vision and in short term increments; and can chose to put the negative sales stories, the cost of failure or consequence of breach stories, into the Appendix. It’s a bit like how publicly traded companies share their quarterly financials. They tend to focus on the upside; and while full disclosure is required; negative information can be managed to not take over the conversation. If our customers are enchanted with our value proposition and the stories of success, they will be engaged in the process and we can make an evolving circle of improvement. Wouldn’t that be nice?