Shostack + Friends Blog Archive


Whose Line Is It Anyway?

For quite a while now, I’ve been claiming that in order for InfoSec to do it’s job properly, it needs to understand the business. Yesterday, Jack Jones again showed that he’s in the same camp when he asked us: “Risk Decision Making: Whose call is it?” There he shares his thoughts how to decide whether or not the Information Security team should be making information risk decisions for a company or if that should come from upper management. True to form, Jack clearly lays out the issue (complete with great graphs). Read the entire post, because it’s really worth it. In particular though, check out the things to consider section.:

The simple fact is, security leadership will never know as much about the business-related elements at the top of the illustration, and business management will never know as much about the risk elements at the bottom. Consequently, if security is empowered to make the major decisions, then they need to spend the time and effort to learn as much as they can about the business-related elements. On the other hand, if business leadership is making the major risk decisions, then security must provide clear, unbiased, and useful information so that the decisions are well informed.

I don’t disagree with Jack in the least. However it’s important to really that even if we’re dealing with that later scenario, this means that security still needs to know a whole lot about the business or they can’t possibly articulate the correct information in a way that senior management can understand.
And if the above rationale isn’t good enough on why you as a security professional need to understand the business, try this on for size:

A decision-maker will to some degree ALWAYS apply his or her own personal risk tolerance to a decision. Consequently, if security leadership has been empowered to make major risk decisions, they should try very hard to be as aware as possible of business management’s risk tolerances. If security leadership isn’t careful on this, then they will, invariably, run into issues where business management doesn’t support security’s decisions. And if the misalignment is bad enough (and I’ve both witnessed this and come close to having it happen to me – long ago) then it can become a “terminal” condition. At the very least it makes the waters far choppier than necessary.

4 comments on "Whose Line Is It Anyway?"

  • Iang says:

    Although particular to FC, it is often been the case that in cryptography and security there is widespread ignorance of business by the incumbents, and widespread ignorance of the technical field by the managers.
    I’m not sure why it strikes in these fields more than others, but it causes chaos wherever security and business intermix.
    I don’t know what the solution is tho .. I could say “get an MBA” … having done that, and being wisened up in the process. But the cost of an MBA (year or two out of action) is way too high for a general solution.
    OTOH, if you are going to be making CISO level decisions, perhaps that is the cost you have to bear? Every other senior manager is expected to have an MBA these days, at least in USA.

  • Thinking a bit about the theme of security v. management, here is today’s thesis:

    The CSO should have an MBA.

    As a requirement! Necessary (but maybe not sufficient) for the Chief Security Officer job.
    …manual trackback

  • on viagra line order

  • on viagra line order

Comments are closed.