You have heard it ad nauseum, “if we as security practitioners want to be taken seriously, we need to understand the businesses we support and speak to the values of the business, blah, blah, blah”. And that, my friends, is bullshit. Still steaming in the pasture on a spring morning bullshit.
Want to move your objectives forward? You need to understand greed and fear, the greed and fear of the people who control the resources. Trying to understand your organization’s business only works if the leaders of your org understand them- and they are not bound and/or blinded by monthly/quarterly objectives.
Don’t believe me? Take a look at the banking industry, or the US auto industry, or whatever area you know about. People who understood the business saw the train wrecks coming, and they tried to warn people about them- but they were ignored or worse. Understanding the business can only lead to frustration because the people running the business either don’t understand the business (but they have MBAs) or they aren’t allowed to act in the long term interests of the business.
If you want to improve security in your organization, you need to understand how your organization works, not how it should work. You need to know what feeds it and what scares it. Sadly, that may have no relation to the business your organization is in.
Yes, I know that sounds a little bitter and depressing- but it really is OK. The system is just broken enough to work (just like infosec).
Jack
8 comments:
Good old FUD..... it doesn't hurt to be a good salesman. Meaning the answer, I find, is somewhere between puritanical business knowledge and knowing what keeps the execs up at night. Or what could keep them from getting a bonus. Or what would keep their name out of the paper. More psychology than MBA. Sad but true. Good post. Thx.....
" If you want to improve security in your organization, you need to understand how your organization works, not how it should work. You need to know what feeds it and what scares it. "
That is, in fact, EXACTLY how I would define "understanding the business" that we support.
I'm not at all sure that any form of [ generic | objective ] business knowledge can have any application in the real world.
Context is everything.
Glad to see that you're learning. Hope you've got power matrices, psychometric tests, budget allowances all mapped out and developed your very own internal security gang replete with dewberry oil and leather jackets. Tassles anyone?
As always, your reality strikes a twang.
Of course, you know yourself better than anyone.
I think you really nailed it. People don't respond to everything they respond to certain things and if you push those buttons then you are going to get somewhere. This is probably the best plan for people to actually accomplish things. It's definitely FUD but you need to know what area to plant it in or you're up the proverbial creek.
Maybe I'm reading you wrong but I think this is a lesson that I learned through trial and error. The point being you have to show people what's in it for them to motivate them fully.
In infosec you are selling the absence of negative consequences which is a tough job. If nobody breaks in is it because you did your job or no one wanted to? It's gotta be a tough sell absent some law/regulation motivating the c-suite but I like the way you approach it here.
Thanks for the comments- it looks like this one resonated, even if is was just a short rant. I may have indulged in a little bit of hyperbole (shocking, I know)- but getting hung up on what "should be" can distract us from what is.
Mike Rothman did take exception to my post, his take is over at http://securosis.com/blog/how-can-you-not-understand-the-business. Make sure you check out the comments on that post, too.
Wow! You are so right!
Now, you made it clear for me why some people are acting like this.
Last week I read somewhere that the arrogants believe that what they do not know is not important. My two bosses are both arrogants. If I combine this with what you said about the business people I have a better picture of the whole story.
I will print part of this article and put it on my wall.
I have an MBA and I resent that statement! ;) But I had a CS degree before that :) Does that make my assessment valid? Can I understand both???
Kristian, you know I'll make an exception for you ;)
Actually, you've done it the right way- found a career path, seen the technical side, and then moved into management. My real problem is people who are generic managers, getting spewed out of MBA mills like Babson and Harvard, they know nothing about their industries and their egos tell them they do not need to.
Post a Comment