#EntSec pt. II -- Accepting Exceptional Mediocrity

Friday, November 04, 2011

Ali-Reza Anghaie


In the opening barrage, I suggested the greatest sin of security professionals is not using their skills to produce better product for the Enterprise. Both internal and customer deliverable product.

My second point, and the topic of this post, was stated as "Security needs to provide product, service, and visibility to the core business" and in retrospect that was possibly the worst way of saying "Security needs to be a selling point for all products and services"...

Now that we've decided we're going to engage our skill set through side-channels to help our Enterprise deliver better product, increase our business relevance, and integrate ourselves into the development lifecycle we're going to ~market~ our new-found Enterprise Religion to the outside world.

Marketing and Engineering won't like this, I can almost promise that. However, when those same exact people are customers elsewhere they fall prey to market-speak about security like the infamous 'Military-grade encryption' gambit. So it's time we take back our own marketing and talk about security and privacy as we expect our own family members and professional counterparts to practice it.

I don't know a better way of expressing this than through hypothetical examples...

Lets say you're Zerocks and rolling out a new multi-function copier/printer/fax/bagel toaster. Don't be afraid to talk about how you've integrated security into the development lifecycle. Right on the one/two page PDF put information on where they can find out about your privacy policy for support, your security contacts for reports and questions, your downloads for security errata.

Just like the total page lifecycle and failure rates are stated, make sure your security message and availability is provided. You work 24/7, monitor your email, stay up hoping not to see your company name on Pastebin... let them know exactly how hard you work for their security. Everyone is going to suffer escapes, and just like technical incident response it's how you communicate and make yourself available to customers that defines how they'll react to you in the future.

Now you've moved on to Jawbohn and you've created a new-fangled bluetooth enabled health recording device. What's the security model? How do you wipe the device? Is your on-line portal for syncing to say, Nyke, tested regularly for vulnerabilities? All of this needs to be clearly documented, turned into standard work, and integrated into the marketing and support workflows across the Enterprise.

Insist on it. Insist.

I'd go so far as saying if you're interviewing for new employment talk about these ideas and see how receptive a new employer is to raising the visibility of their Enterprise Security department.

If you get pushback, approach it from the same perspective that Engineers would for an Industrial product. Have you increased fuel efficiency? Interval between regular maintenance? Etc.

In reality you've done exactly those type of improvements through your integrated security lifecycle and participation discussed in the prior post. Start, with humility, to take credit for it and communicate it pervasively. This stuff matters to customers, it really does.

Now, I know that Sony and others have seemingly gotten away with massive escapes, but that tide has shifted. It may not have reflected in stock prices yet, but if you wait until it does, you've waited too long. It can be a competitive advantage now and, in particular, with the key tech and privacy savvy influencers of families, Universities, and classmates.

Respect of a brand can carry with someone through decades. It's my belief that if you influence through Enterprise Security that you will attract a better breed of customer and customer loyalty. This is a worthy selling point and worth marketing. And you still don't have to shave or put on shoes to do it.

We need a bigger piece of the proverbial pie, we simply must have it (1), and I hope you agree that my rambling musings can help you slowly get a bigger cut for your Enterprise Security department.

Cheers, -Al

(1) Daniel Geer and Peter Kuper: http://geer.tinho.net/ieee/ieee.sp.geer.1109.pdf

Cross-posted from Packetknife's Space

Possibly Related Articles:
Policy Enterprise Security Management Security Information Security Infosec EntSec
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.