Sunday, July 24, 2011

InfoSec’s misunderstanding of business.

You have heard it ad nauseum, “if we as security practitioners want to be taken seriously, we need to understand the businesses we support and speak to the values of the business, blah, blah, blah”.  And that, my friends, is bullshit.  Still steaming in the pasture on a spring morning bullshit.


Want to move your objectives forward?  You need to understand greed and fear, the greed and fear of the people who control the resources.  Trying to understand your organization’s business only works if the leaders of your org understand them- and they are not bound and/or blinded by monthly/quarterly objectives.

Don’t believe me?  Take a look at the banking industry, or the US auto industry, or whatever area you know about.  People who understood the business saw the train wrecks coming, and they tried to warn people about them- but they were ignored or worse.  Understanding the business can only lead to frustration because the people running the business either don’t understand the business (but they have MBAs) or they aren’t allowed to act in the long term interests of the business.

If you want to improve security in your organization, you need to understand how your organization works, not how it should work.  You need to know what feeds it and what scares it.  Sadly, that may have no relation to the business your organization is in.

Yes, I know that sounds a little bitter and depressing- but it really is OK.  The system is just broken enough to work (just like infosec).