Establishing Digital Trust: Don't Sacrifice Security for Convenience
But instead of congratulating us on our dedication, the boss looks at usas though we're speaking some freaky language... Klingon or Elvish,perhaps...
The problem is that we might just as well be speaking Elvish, because tothe business people of the world -- and I'm lumping the boss into thatgroup -- ''geek speak'' is indistinguishable from Elvish.
The bottom line is that we explained the problem in technological termsso we lost our battle before it ever began.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i In this hypothetical situation, you might say, ''One of our IDS sensorsjust picked up a possible SQL worm hitting our server farm on the DMZ.''Your boss hears, ''One of the flayrods is out of skew on the treddleagain.''
We've failed to answer the most important question: So what?
We've erroneously believed that our job was to protect the computer andnetwork systems, when, in fact, our job is to protect the business dataand business processes that reside on the computer and network systems.There lies our failure and our path to success.
I see two possible ways out of this problem. We could teach the boss tospeak Elvish (or geek speak, but getting the boss to speak Elvish wouldbe way more fun), or we could learn to talk''biz speak''. I think we'refar more likely to succeed at the latter than the former.
We have to learn to put business issues into business terms so thebusiness people can make the important business decisions. Yes, it isthat important.
When we think that we're explaining the heart of the problem bydescribing the technical situation, we're actually obfuscating thepertinent details to the business decision makers. That doesn't help ourcause and it doesn't help the decision makers to make their decisions.Of course, they are going to turn down our request for resources!
Incidentally, I've been using the ''we'' term throughout this piecebecause I see this mistake repeatedly throughout the IT Security world. Iexpect it's even more pervasive than that.
A wise former boss of mine once convinced me to start collecting incidentdata in terms of what the U.S. Deptartment of Defense calls ''missionimpact''. After a lot of pain and errors, we managed to start doing justthat. Lo and behold, our incident reports started getting noticed by thesenior-most decision makers at the Pentagon. It had worked.
This may all sound simple to you, but I assure you it's not simple and itindeed takes significant practice to perfect. Even then, you'll stillfind yourself making temporary lapses into geek speak when talking to theboss. So, I've put together a few tips to keep in mind:
So, following these pointers, we might see something like this.
Original: ''One of our IDS sensors just picked up a possible SQL wormhitting our server farm on the DMZ.''
Improved: ''Our customer database is under attack from a worm on theInternet. I've verified that the worm is a significant threat and thatour customer data could become stolen or altered without ourauthorization if the worm hits our systems. I recommend we get ITto test and install a software patch ahead of their normal monthlyschedule.''
That sounds a lot better than ''One of the flayrods is out of skew on thetreddle again'', don't you think?
Kenneth van Wyk, a 19-year veteran of IT security, is the prinicpal consultant for KRvW Associates, LLC. The co-author of two security-related books, he has worked at CERT, as well as at the U.S. Department of Defense.