Quick acknowledgment here; this is written from the perspective that security is at the center and core of all business. That is simply a conceit to allow for the perspective. The core element of any business is to make money and increase profits and profitability over time, I get that.
Many businesses struggle with figuring out where to put security. Where does it belong, when does it get considered in the course of a project, how much input should it be allowed to have; the list goes on and on. It’s officially 2023 and we still have many business people who view security as some unknown, almost mystical quantity, and security professionals as purveyors of some unknown wizardry; not much different than the world of IT. Business leaders know about security, have heard about security, and understand its power, but they just don’t see it as integral to the business. Its role throughout all aspects of business operations remains unknown. It is either accepted as a mystery or dismissed of its importance because it cannot be “seen.” So what do I mean by security is the Force of the business galaxy? It’s a straight Star Wars reference. Yes, that’s right, a security person has an analogy that comes from Star Wars.
There is a scene in Star Wars Episode V: The Empire Strikes Back when Yoda is explaining the nature of the force to Luke. Yoda explains the Force’s existence like this, “Its energy surrounds us and binds us... …You must feel the Force around you; here, between you, me, the tree, the rock, everywhere…” This view can apply if we take security at its most macro level. Security is many things; it is not just monitoring, threat hunting, etc. It consists of the GRC world of policy, process, and procedure. It is present in all departments, in all business processes, and in all business functions. You see, security is inherent in the business. It’s already there, many just aren’t aware of its presence. Security is the energy that surrounds the business and binds the business. You must feel Security around you; here, between you, me, business leadership, business practices, everywhere. And it flows from governance.
Governance starts at the very top of an organization. They determine the type of business they are, how they move, how they innovate, and what level of risk is acceptable and necessary in order to meet the mission of the business. This is where security starts; where it gets its own mission. The business mission and the level of risk acceptance that’s established, even if not explicitly stated, start here. Security considerations come from what’s established. This is where the Force (security) emanates from and impacts all life within the organization (so to speak).
That security establishment becomes the guiding force throughout the rest of the organization. It is a part of the policies that an organization implements, as each one is written to help facilitate the business mission within the bounds of risk that have been accepted. It dictates process and process improvements. How can we make the business operate more efficiently, integrate systems, and automate tasks, without sacrificing too much of what we’ve established as our security posture? Do our vendors, contractors, and partners meet our acceptable risk levels? As we go through and do a full risk assessment considering all of these components, which areas pose a risk higher than the business has set as its level of tolerance for risk? What controls can we apply to mitigate that risk? Which risks remain too high so we opt to avoid or transfer that risk to insurance? What does our security and training program look like for our employees so that they are aware of our process, policies, and how we’ve established for them to perform their roles in an efficient, yet secure manner?
Sure, it sounds a little silly when you first hear it. And granted it may be a bit of a stretch and too security-centric for how a business truly sees itself as operating. But all of these components connect all aspects of business, just as Yoda teaches Luke that the Force flows through all things. Security exists where and when we’re not even thinking about it. It binds the business together. Is that a bit of a security professional’s idealist view? Sure, maybe. But it is true, from a certain point of view.