I recently was
privileged enough to be asked to present at a merchant forum in London. Interestingly,
the intended recipients had been very much in the driving seat since they had
selected the topics themselves. After my previous posts (Part 1 and Part 2) on
connecting the dots between information security, risk and fraud, you can
imagine my pleasure that I, alongside my fellow speakers, were asked to do just
that... A delightfully interactive audience, some very interesting chats at the
breaks and the recent buzz about the value of security conferences prompted me
to share some thoughts on how actively to engage with your stakeholders and get
the results you need...
Down memory lane...
Four years
ago, when I started on this crusade, I inherited a very specific audience. The industry
push on PCI DSS was starting to be felt and organisations decided they ought to
know a bit more about it. Enter the reluctant software developers, IT managers or
network security engineers who’ve been told that they’d better get clued on and
report back so the higher powers could decide the next course of action. So
what did they do first? What everyone does: Google and find the PCI SSC site,
try to make sense of the documentation (Oh my gosh, it’s an American
standard!), talk to people who are just as clueless, attend technical
conferences and webinars, read white papers and get approached by vendors swearing
they’ll make you compliant. They soon came to the conclusion that it was
something complicated to do with security their organisation had to comply with
lest they suffer The Financial Penalties. So the message went back up the line:
it’s very complicated and terribly technical (trust me, I’m a specialist...),
needs a lot of investment (shiny new boxes!) and you have to do it otherwise
the acquiring bank will strike you down... This is 2008, and the audience I
regularly address wants to hear about the 12 requirements, so I tell them. I
also tell them about non-compliance and data breach fines and associated fraud
losses. This is not popular and I encounter two types of organisations. Those
where the Finance Director thinks that they’ve done very well so far and that
they really don’t believe anything could happen to them because they have
brilliant IT teams (you know what, I’ll take that risk, because I don’t believe
you, and I haven’t seen anyone suffer yet...). The other type is where the IT
Director is influential and sees this as a way of securing investments in shiny
new tech under the sacred banner of “mandatory/regulatory” (often with no
relation to PCI DSS). At the same time, non-compliance fines started to rain on
the acquiring community and this was being felt, with outrage, by merchants. A
whole industry was born (well in the UK anyway, as it started a bit earlier
than that in the US, but the principle is the same).
2008 RESULT: PCI DSS is technical,
standalone, very expensive and unpopular. Organisations don’t really understand
why they have to do it, many projects fail and much money is spent. No
connection has been made with other similar areas of the business (e.g.
information security, data protection). The perceived stakeholders are the
techies. They attend security conferences because they need to understand more about
what they think they need to do and see what tech is available to achieve it.
At the same time, the CSO and CISOs concentrate on controls and policies and
are seen as “business preventers” (see earlier post). So the techies want to
learn, that’s great, because we need them on board, so we all keep catering to
this audience. But in 2008, I also wished I could talk to the decision makers that
were not involved in technology to try and show them that infosec could really
benefit their business, but they were simply not interested (and data breaches
hadn’t made it to mass media notoriety yet...)
Fast forward
to 2011-2012...
Well, we all
know 2008 turned out to be a big year for data breaches (in fact, as big as
2011 according to DataLossDB.org) and we all felt it one way or the other. This
contributed to raising the awareness of cybercrime in the ensuing years, at all
levels. Unsurprisingly, the audience at the forum I mentioned in my
introduction included Risk, Fraud, Finance as well as Security professionals. Uncannily,
have you noticed that there has not been a new Mordac strip since 2010?
Mordac May 2008 |
I am a
firm believer of popular culture as a good barometer of socio-economic
concerns...
So what happened since 2008 that
contributed to this change of attitude?
- Data breaches, lots of them. (public attention - Boards questioned their IT: “can it happen to us? Make sure it doesn’t).
- Fines and financial penalties, lots of them (FDs and Treasury suddenly paid a lot of attention, and for those that were breached, they paid even more attention).
- Everybody talking seriously about Risk Management since 2010 (I don’t mean just infosec professionals, I mean everyone, and the current economic climate contributed to that).
- More and more industry conferences dedicating slots to security related topics (Finally, I get invited to them!). Having said that, I had to organise a few of my own industry sector conferences to target this new audience, but it paid off in the end. The trick: 1) don’t talk tech to business people (don’t even try) and 2) explain how you can help in their own language (which is usually income or turnover related).
In the
meantime, hard core security conferences continue to happen and continue to be
successful, and long may it continue. We still need the techies to make sure we
have the right tech to support the people and processes in our businesses. We
also need the techies to try and keep ahead of the bad guys. One thing I would
suggest, however, is that, in the same way infosec/risk/fraud professionals
want to talk at business conferences, security conference organisers should
think about inviting business speakers so they can explain what’s important to
them...
Going back to
my introduction of this post, I was having a chat during the break at that
forum, and a good friend said to me: “I have the buy-in of my Executive
Committee, that’s not the problem. My problem is all those developers that are
paid and measured to deliver business applications on specific deadlines, and
they really don’t want to hear about security matters that might delay their
projects...”. Here we go, another income/turnover related problem... Let’s
examine it.
How to contribute to business
development...
Situation: my
company wants to develop a new mobile application. The business case suggests
that it will deliver x income over y years.
The first
question to ask is: Have you (as an infosec/risk/fraud professional), been
involved in the development of that business case?
If you have,
good. You have hopefully incorporated all the (financial) metrics of security
by design (rather than as an afterthought) and everyone understands the cost of
bolting on or retrofitting security/fraud prevention compared to building it in
(and let’s not forget the cost of remediation should anything go wrong, and
important regulations –existing or coming during the life time of the product).
If you have
not, here lies the problem. Why have you not been involved? May be you haven’t
yet convinced the people that matter. Who was the accountable executive?
Whether this lies with Sales, Business Development or Marketing, your task is
the same. Try to understand the objectives and the pain points they are trying
to address and the pressures they are under. You will always be able to come up
with a mutually acceptable plan if all sides understand each other and no one wants
to 1) be in the news for the wrong reasons 2) suffer fraud for lack of adequate
controls 3) take unreasonable risks. After all, the developers that are not
listening to you are accountable to these people... Convince the top, the rest
follows, unless the top didn’t really mean it... And yes, the Chief Marketing Officer may not want to talk to you, but have you shown him what some fraud monitoring tools can do for web session behavioural analysis or how he could use security as a USP for mobile apps?...
So who are
you preaching too, really?...
Well, the
techies need to continue attending those security conferences, because we need
them totally aware of what’s out there. Security professionals need to continue
looking at risk management and get closer to fraud professionals and vice
versa. Security conferences should invite business people and
industry/verticals/segments event organisers should invite more and more
security/risk/fraud people... Just mix it up and make it happen... We’re all part
of the business.
Until next
time...
No comments:
Post a Comment