- It requires being thorough.
- It required documenting things.
- It requires conducting training and drills.
- It adds what can be viewed as additional effort/cost to the primary goals (sell widgets/services/time)
- It involves weird and wonderful ways of abusing functionality that is not always apparent or expected, thus to the typical consumers/user of a service, the idea that it might be abused actually seems very unlikely (to a criminal or security pro, the idea it will be abused seems far more likely based on threat intelligence etc.)
The perception of Security
Security has often been seen through a lens of:
- Security as a Gatekeeper
- Security as a Watchman
- Security as a No
Security in the Digital World
Then we add in the complexity of digital computers systems, let’s think about this:
- Computer systems are not always simple to use.
- Computer systems are complex (even in their simplest forms)
- Humanity deployed computer systems, at pace and at scale, making everyday life reliant upon them, however the majority of people are not computer scientists, so they are consumers of function rather than subject matter experts.
So, this makes digital security potentially viewed as:
- An overhead/cost
- Adding even more complexity
Have we given up yet?
Boy, you can probably (hopefully) see that this might make the role of a Cyber Security Professional (regardless of specific role) quite a challenge. If I said it wasn’t, well I’d be lying. Security roles are challenging, it’s exactly because they are challenging that makes them “fun”. (be warned there are, like most industries areas that cause stress, burnout and various other issues, security however is not in isolation with this, it has it’s own unique blend but it’s not special or unique in terms of there being some negative elements, the cyber security world is however, probably the fastest paced industry out there! And the pace challenge is hard)
A fresh look at Security
If we take security in isolation, it adds friction, most organizations do not exist to simply “be secure” or “be robust” and as such security should be:
In my experience, security as a SILO does not work! It’s an uphill battle where if your only lens is being as RISK FREE as possible no matter the cost of consequences, you will likely not have a fun time.
So how can we look at security?
- Business Enabling
- Sales Enabling
- Compliance Enabling
- Risk Managing
There isn’t a silver bullet to cyber security, there isn’t a “hire a security person” and the challenge goes away. It’s not us vs them, it’s not a “business” or “security” thing, it’s all part of running an organization. It needs a whole range of things to “work” and a whole of organizations approach.
So, there it is, Security should be about business enablement, and it requires a whole of organization approach if it is to be successful. That’s much easier to say than achieve (read the news for proof) however if it was all easy, would we even be reading this?