Security as a Business Function: Part 1 - Practitioners

Security as a Business Function: Part 1 - Practitioners

What is the function of security?  It depends on who you ask.  CEOs will tell you it’s an endless money pit that bleeds revenue with no quantifiable results.  PMs will tell you it’s an obstacle to success that extends timelines and creates roadblocks.  Employees will tell you, “I think that’s the guy who issued my badge when I started 5 years ago.”  All these answers lack nuance, and may be demonstrative of an unrealized use of the security function in your organization.

For a true security professional, the answer is simple.  Security is a business function.  Just like production makes widgets, accounting tracks profits, and HR handles employees; the security department also has an important product to provide.  This product is predictability.

The world is filled with risks and uncertainty.  Although it is impossible to create environments which are 100% predicable, the security function works to flatten the curve of business instability.  Without a robust security and business continuity component, any business or organization will naturally leave itself open to damage by external factors and actors.  Whether in the form of crime (targeted or opportunistic), corporate espionage, careless leakage, environmental factors, or multiple other externalities, failure to adequately plan for, and mitigate risk is a great way to ensure your organization will crumble when faced with an unplanned circumstance – especially one which involves a significant financial or physical lost event.

In this article, we will take a look at how a simple mindset change can have an impact on the quality of an organization’s security program and, in turn, the general health of the business.

Providing the best value for your organization

Everything is sales.  If you pay money for something you are receiving a product.  If you pay money for someone’s input, you are still receiving a product, albeit an intangible one.  Likewise, if you make a piece of art and sell it, you are receiving money for the sale of that art.  Similarly, if you are being paid by a company, you are selling yourself back to your organization.

Let’s pretend you had a computer and had 3 annual subscriptions.  Each subscription costs $10.

1. The sales portal

   1. This subscription allows you to sell your product and make money

2. The bios subscription:

   1. This subscription keeps your computer running day to day

3. The security subscription

   1. This subscription keeps your computer safe

Looking at our initial descriptions, if we are to draw inferences based on only the text provided, we may presume that subscriptions 1 and 2 are essential, while subscription 3 is a nice extra.  You cannot make money without sales, and you cannot run the computer without the bios.  The security subscription claims to keep your computer safe, but its results are vague and you have never had an incident.

If you’re a security professional reading this, you may be thinking “yes, but the lack of an incident doesn’t decrease the value of the security subscription, it actually strengthens it.”  You may be correct, but it still stands that we haven’t demonstrated the value of that subscription.  It is also unclear HOW the security subscription keeps your computer safe.

For this reason, it is important for us to expand our description of the security subscription.  A better description may read as follows:

The security subscription constantly scans for, and mitigates risks to the bios.  It is updated continuously to monitor for the most current threats.  When identified, the threats are quarantined by the subscription, allowing them to be reviewed and mitigated without affecting the operations of the bios subscription.  This allows the sales subscription to continue generating income uninterrupted.”

“But Brian”, you may be asking, “the sales and bios subscriptions don’t go deep in the weeds on their benefits.  Surely people will be able to infer the value of the security subscription.”  Unfortunately, this is never the case.  People are good at recognizing tangible value, but generally lack the skills to foresee how events might play out unfavorably, or miss the mark when a plan is not properly executed (or encounters unplanned variables).

This is easily translatable to the business setting.  As a security manager, you must know exactly what business functions your department supports and how security is an enabler of those functions.  You need to shift your marketing and focus from a defensive to an offensive connotation.  For example:

Security does NOT “issue badges to keep unauthorized people out”Security DOES “maintain an access control function to ensure employees and visitors are able to access only areas required to do their jobs”

Security does NOT “patrol the property to keep an eye out for crime”Security DOES “continually monitor all assets for disruption such as crime, equipment malfunction and other issues which may disrupt business operations”

Again, you may be thinking “nice job making the security function sound fancy, but you haven’t really changed the day-to-day operations.”  I would submit to you that in order to meaningfully change your operation, you must first change your vision.  As mentioned before, everything is sales, and sales is about telling a compelling story.  Nobody ever bought a product because someone explained to them how it functioned.  They bought the product because they could see a meaningful space for it in their own life.  Security is no different.  Saying “we make badges” is the same thing as saying “this is a vacuum.”  If the end customer does not understand why it would be useful, they will not purchase one.  In security, we must constantly demonstrate our value to stakeholders and show HOW and WHY our function integrates and enables the business.  Once we have a vision, we can move forward with being a true support function just as IT, HR, or any other “non-product-oriented” department would be in any company.  No serious business person would ever attempt to run their business without a solid HR department, but many will choose to either slim down, or completely eliminate the in-house security function without consideration for downstream effects of that action.  As practitioners, THIS IS ON US!

Creating this vision of the security role involves, primarily, a strong relationship with, and understanding of, the technical components of your company.  Many security leaders rely on their past experience and understanding to recommend security solutions, when the reality is that security methods and technologies can become outdated or ineffective on a scale of months and years rather than decades.  The paradigm of work has shifted several times in the past hundred years and will continue to do so.  Those of us stuck in the past will provide no value to our organizations.  As such, it is important for the security practitioners at an organization to have a true understanding of the business’s products, market goals, and the things which are important to the technical staff.  Different protection methodologies will be used if the speed is valued more significantly by the organization that, say, detailed technical excellence, or vice-versa.  By understanding these priorities, we are better able to provide bespoke solutions which can enable an organization to move more nimbly towards its goals.

A good example of this is a software company which is trying to shed its physical footprint to support a work from home environment.   In this case, it is foolish for the security leader to prioritize the physical assets (badges, locks and cameras), and should instead pivot to an approach guided by the digital nature of the work (firewalls, information handling and WFH infrastructure).

In short, security functions best when it accounts for the priorities and goals of this business.

In our next post, we will talk about the ways the C-Suite can engage with security leadership to boost the strength of the program and increase results.  Results you can SEE.