This morning I am getting ready for today’s executive security lunch meeting in Grand Rapids, MI (Sponsored by IBM). The question came up in a meeting yesterday, “What is an urgent security issue?” This may seem obvious to some, but when you start discussing it, opinions differ. For instance, an IT person might see anything that affects their job stability as an urgent issue, the security consultant might consider a lack of policy or compliance to be critical, but the business owner might not consider anything urgent until it’s been explained in layman’s terms – and they are convince something is threatening their business.
For example, is malware urgent? When you think of malware on a PC, it’s tempting to think, this happens everyday, therefore it’s not urgent – it might be easy to delete, and therefore it isn’t urgent. However, if you explain to the business owner that someone outside your organization has installed code on their laptop that allows them to potentially collect passwords, read files, and even listen in on meetings or access some of their most sensitive databases, it’s urgent. Nortel’s recent discovery showed that bots had been installed (malware) to steal data over the past 12 years. Their AV experts could not detect it, yet their security officer suspected it. The executives ignored it simply because it wasn’t pointed out in a way that they could receive it. Had they known that a competitor was stealing their inventions, I feel certain they would have acted. If someone called this a virus with possible, but no actual damage, they would have assumed IT had everything under control.
Being a provider of security solutions requires more than strong technical skills in the area of information security. It requires the ability to look at a business model and understand what is important. It requires the ability to predict where the weaknesses are based on the way that company uses technology. It also requires the ability to do some forensic investigation to discover what is really happening under the covers, and once all of that has been done, it requires that someone be able to piece together evidence in order to predict what might happen as a result, and what the likelihood is that something bad will happen any time soon. If this can’t be done, chances are that the executives will never take action. Their position is one of determining where to focus. Every day they must look at the potential opportunities, and the possible risks; and after weighing whatever data they have, they’ll make a choice where to spend their time, money, and energy. If the data risks are under control, at least as they perceive them, no action will be taken. It is incumbent on the security professional to figure out if the issues at hand are, in the reality – in light of the business, critical or not. And then, the challenge becomes one of presenting in a way that compels that management team to take action. This is the difference between the professional security consultant, and the backroom security expert.
© 2012, David Stelzl