The Most Important Security Question Ever Asked

Wednesday, June 01, 2011

Rafal Los


I've been learning a lot lately from one of my senior colleagues who's been doing this software security assurance thing much longer than I have... and the more time I spend with him the more I understand that it all comes down to one very simple question.


Whether you're looking to trick out your ride, or trying to implement some measure in your software development lifecycle - you need to keep asking yourself "why?".

The trick to asking why is that you can't just be satisfied with the first answer you get, or even the next 2 or 3. Keep asking why until you're satisfied that the answer is concrete and real enough to proceed.  Allow me to demonstrate.

The context for this example is a medium-sized organization retail organization. 

The organization uses technology, and by extension its web applications, as a business enabler - but it's important to note that the organization doesn't actually sell or directly profit from the development of web applications. 

The Information Security Manager wants to implement an application security testing technology.

Naturally, as I've already said, it's critical to ask why? but it's important to keep asking why until a concrete answer is obtained.

ISM: "We need to implement an application security testing technology"

You: Why?

ISM: "We need to be testing our application code"

You: Why?

ISM: "We need to be compliant with X regulation"

You: Why?

ISM: "If we're not compliant we can't process credit cards, thus making money"

More than anything else, that last answer is what you need to get you started.  At least now you have some business goal to move you forward. 

If you kept digging into this you may find out that there is a specific amount of money that the site or application makes for the company per day or minute. 

You may be able to find out the value of that application in terms of downtime, or the value of that customer database ... and now have a financial basis for pushing your agenda.

The point is, if you don't keep asking why beyond the initial superficial reason you get, you won't have a valid business reason for doing what you want to do. 

Sometimes, the effort doesn't have a valid business reason - and then you already know what the result will be.

Start asking why because you need to know.   Its the most important question you'll ever ask.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
Software Network Security SSA Software Security Assurance Information Security applications
Post Rating I Like this!
Joe Schorr /DeepThroat "Just... follow the money."

Amazing how asking 'Why' in a business context will inevitable lead back to that; money. Even in a non-profit that can be the case, particularly if they are worried about litigation or decreased funding.

Jumping directly to the 'money' motivator can definitely smooth the 'selling' path. The trick is teaching in-the-trenches/under-fire security folks to think in those terms and identify the $$$ drivers in their bailiwick.

Articles like this can get the ball rolling in the right direction.
Chris Blask I carry around a preso by Stu Phillips from 2000 to remind people (including myself) the same thing. Classic lines from it:

"Your customer's goal is not to buy a firewall."

"Try to go two minutes without saying how secure this will make them."

"Nobody cares how digital certificates are revoked."

VPNs don't secure communications, they lower cost while increasing productivity, therefore profitability. (and so forth)

The bane of our industry is thinking that everyone wants to be secure. No, they don't. Being secure (may be) part of being profitable (or, as Joe points out, being less likely to lose their funding/get sued). Security is virtually never *why* an organization exists, we need to support that "why".

Good article.
Chris Blask @Lance

My favorite line from the preso is the:

"Nobody cares how digital certificates are revoked."

As CEO of Lofty Perch I was leaving a meeting with the executive team of a rugged router manufacturer and feeling quite smug about how it went. My VP Ops was with me, and turned and said; "You just told them how digital certificates are revoked" (I had printed that slide and pinned it up in the office). He was right. I had gotten so enthused about the technical issues that I forgot that their goal was to sell routers.

To this day that vendor has done virtually nothing to increase security, and it is my fault.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.