“No one really gets what it is we do.” I read and hear that phrase, or something similar, a lot when consuming InfoSec (information security) content. There are references and allusions to it on Social Media, write-ups in industry periodicals, and references to it on podcasts. The arguments tend to be the same. “It’s not all pentesting.” “It’s more than pew-pew maps and exploits.” “Security isn’t just about hacking.” If you’ve been in the industry for even a short while, you’re familiar with these frustrations and have heard them voiced in some form or another. We then get to the business side of the equation, where we lament about how we are not thought of as critical to the business. That we’re only asked about how to stop the latest ransomware threat or zero-day. “Security is never brought into the business, we’re always left on the periphery.” “Sure, we got a seat at the big kids’ table, but it’s in the middle of the table and all we get to do is pass food back and forth, from one end of the table to the other.” We work to get the message across that security is in every aspect of the business and that everyone at the company can really be viewed as a member of the security team.
There is an issue with that last part. Most people don’t want to hear that in addition to having to do their full-time job, they’re also expected to be a contributor to the security team. It’s often viewed like an odd ask; “we didn’t study this;” “I’m not really good with computers like the security folks;” “I don’t know how to code;” “I’m not a hacker (a close cousin to, ‘I don’t hack’);” all of these revolve around the same mindset that security is strictly a technical field. It is full of Linux commands, heat maps, odd bits of code, and a face always glowing green in the reflection of the monitor. What gets lost is all the areas where there is a security component for business. The full scope of security doesn’t get realized. The full scope of skills and roles that are filled by security folks stays cloaked in a veil of mystery.
Let’s start there, the full scope. If you ask security people, they will tell you that security is nothing more than risk management. That’s all we’re really doing. We work to ensure that the business is capable of operating at its desired and designed level, within the level of risk acceptance that leadership is comfortable with. If you’re new to security, well, first off, welcome to the field. You’ll start to hear the “CIA Triad” get mentioned a lot as you study and learn from others. It is not a government agency thing, nor is it an underground crime, gang thing. The three letters stand for Confidentiality, Integrity, and Availability. Everything that we do focuses on at least one of those three components. Everything we do is viewed through a lens of risk when it comes to the consideration of these three elements. When we talk CIA, we’re talking about ensuring the confidentiality, integrity, and availability of our systems, data, and information. But it goes further, or at least it should go further. What are we doing to ensure that triad for our business? It’s all about the business and it’s all about securing risk. So the field we’re really in is “business security.” And there are a lot of us in business security.
So what are the areas of business security? If it’s a component of your business, then it has a component of business security within it, very close to its core. Keeping the components of the CIA triad in mind, it speaks to all of our policies, processes, procedures, operating style, departmental workflows, and interdepartmental workflows. There may not be technical controls in place but there are controls in terms of processes. Let’s take the finance department. One of the more pressing threats to businesses comes from false changes in invoices, fraudulent requests to alter ACH accounts, and other items related to financial theft. A company implements a policy that any requested change must be confirmed through an alternative, out-of-band communication using a system that was already established as trusted. That means a phone call to a previously known-good number, if the request came via email, for example. It’s not an ACL (access control list), or an EDR (endpoint detection and response) alert, or some other technical prevention control. The organization has moved the security element within a standard business process. The risk is being mitigated via a process. Human Resources can implement similar controls when they receive requests to update/change direct deposit account information; direct communication with the employee to confirm that they did submit the request. These secondary confirmations rarely take a lot of time and help ensure all parties involved that the transaction can be trusted and security has been implemented as part of our SOP (standard operating procedure).
Senior leadership establishing, communicating, and then supporting the level of risk they’re willing to accept when it comes to operational procedures for all business lines is where security starts with a business. Many organizations want to ensure that their teams are working ethically, not doing anything to subvert a law or regulation, and not exposing the organization to a risk that outweighs the potential benefit. This entire model and its starting point is business security. There’s no CISO (Chief Information Security Officer) or compliance requirement that’s been selected to govern procedure. Telling the sales and marketing team to ensure that they are only promising and promoting aspects of the business that can be delivered is a security step. It’s ensuring that the business does not gain a reputation for making false promises and then failing to deliver. The goal is to help ensure and maintain the company’s standing in the business space and with clients and prospects.
None of these points or examples should discount the need or existence of the technical “cyber” part within a security structure. And yes, there are departments and specialties within the realm of information security that are more technical than others. This call to rebrand isn’t to say that there are no technical components to InfoSec. But too often those of us in security do not speak to all of the elements that contribute to the day-to-day operations of the business. Too much stress is given to vulnerability patching, asset inventory, threat intel, hardening of systems, security monitoring, log analysis, and the multitude of technical components of a security program. That becomes the part that business leaders hear. They hear the “no” all the time. They hear the frustrations expressed when a new tool is requested or when a report is generated speaking to average resolution times and patch rates. Leadership understands that these areas are important but it seems like their importance is viewed in terms of a necessary annoyance.
That is where the ability to gain resources is lost. If something is a necessary annoyance, just the cost of doing business in the modern world, then it will be viewed and supported to that end. If there is no overt connection that security exists in every aspect and function within a business, as its internal operations or external facing, then it will continue to be viewed by a majority as nothing but a line item that needs the most minimal acceptable importance.
It is our job/goal to change that narrative. Does that mean that every security professional needs to know all of these elements? No, of course not. Yes, you should be aware but I am not looking to add another criterion that can be thrown into “entry-level” job roles and responsibilities. We do need to acknowledge that it exists in all aspects and frame our more narrow roles and expertise as part of the much larger equation. Asking questions relative to workflow and needs, not just the vulnerabilities that an attacker can “hack.” The risks of a flawed process. The risks of policies that are too vague or too obtuse. We need to start discussing our role in security within the larger context of business security. That we are merely a formalization of what businesses have been doing forever. We need a rebranding. We are business security.