More On Selling Security
Chandler says that “would rather be understood than perfect” in response to Mordax’s call to stop cutesy names for attacks. In doing so, he says:
Second (and I know this has been mentioned elsewhere in the world), instead of talking about vulnerabilities within the Software Development Lifecycle, I just talk generically about them as a post-release defect which contributes to the Cost Of Poor Quality. That’s something which is meaningful and whose costs can be inferred back onto the organization that produced them. And since Qwality is important around here, it gets traction with the developers in a way that “security matters…really” never quite did.
So when thinking about how to explain risk issues to The Business, ask yourself: Would I rather be perfect or understood?
This is an extremely important point that gets bandied about by CSOs but rarely expounded upon in detail. When trying to sell security don’t talk in terms of security, talk in terms of the value to the business. What this means is, you need to change your communications strategy. In the example above, see how Chandler doesn’t talk about vulnerabilities but about quality. So what you need to do is talk about the cost of delays in production cycles brought on by the need to produce patches and the time spent by the support organization in helping customers deal with those patches. Being on the IT side of security is 90% about marketing and sales and 10% about technology. If you really want to improve security at your company, go to the business units and ask them what their concerns are and demonstrate in their terms how you can help them achieve their goals safely. More on this next week…
Similar veign discussion over on the Securitymetrics.org mailing list.
I suppose it would be ideal if there was something capable of simple expression in business terms that, when poked and prodded, revealed rigor behind the risk analysis.