Security Is Not Job 0
Addressing a Persistent Lie in the Security Industry
It’s a popular canard: security is the most important thing to get right. You hear it directly: some of the hippest of tech firms make pretentious pronouncements. You hear it via implication through the security industry: how Security Awareness and Education is so important, that all those people just need to understand security. All the security problems are because people are uneducated. “If they all understood what I do and cared about what I care about, we just wouldn’t have these problems!!1!” the security industry preaches to itself.
This is ridiculous. Most people in the world know this, but some have bought the lie. I’m here to tell you now as a seasoned professional: security isn’t that important.
The lie is tempting, and thematically similar to a lie common across cultures and topics: “if everyone was like me, they’d be a lot better off.” You hear it in political discourse. You hear it in religious rhetoric. You hear it from mommy blogs explaining how their way of parenting should work for everyone. You hear it from articles on the latest diet fad or muscle-building regime implying that it will work miracles if you try hard enough. You hear it every day when your coworker criticizes your ideas while explaining how amazing everything was when she solved this problem at her last company.
If the rest of your organization understood and cared about security as much as the security team, it probably wouldn’t make money. Capital would be used inefficiently, products wouldn’t get launched, and marketing would be a joke.
Here are some common organizational goals that are almost always more important than security:
- Hit an earnings-per-share target (maybe just stay in the black (or maybe just slow the bleeding!))
- Keep patients alive
- Keep the power on
- Missional goals: rescue slaves, keep kids out of gangs, or just crank out a bunch of surgeries.
There are also team goals:
- Increase revenue within a product or segment
- Improve KPIs for your call center
- Improve click rates on an ad campaign
- Reduce costs
- Consolidate procure-to-pay processes onto a single ERP
Further, every person at a company has personal goals. People are wildly different, with their own motivations. Even if they do buy into the organizational goals, people have extra personal goals such as:
- Not get fired
- Avoid extra work
- Avoid conflict
- Feel valuable or important
- Desired role or title
- Avoid wasting time
- Stay out of jail
All these are good goals, and it’s hard to argue that security is more important than any of them. It’s rare for security to rank in anyone’s top 5 priorities.
Even though the risk and impact has exploded in the last 5 years, security will never be the end goal. It is and always will be a supporting priority. It’s hard to save patients if your local Epic instance gets ransomware.
Even Worse
Security isn’t even a single goal. Effective protection consists of many simple things done decently. For instance, Software governance is a piece, but it’s not more important than patching or config management or phishing prevention.
If the success of any particular security program relies on convincing people that it’s more important than any other goal, it will fail.
It will fail.
Ok, Doomer.
Luckily, the case for security isn’t hopeless. General operational excellence often yields substantial security benefit too. As they say, fewer total product bugs means fewer security product bugs. Also, excellent security can also drive revenue and margin if your customers care about it. These days, a lot of customers care about security. That means people at your company want to hear about security so they can make those customer happier.
Next time, we’ll discuss what practically works, and lay out the best approach for running a security organization that efficiently reduces security risk.
This story was originally published on Salty On Security.