1 Changing the Conversation Articulating the Value of Programmatic, Holistic Security by Kim L. Jones CISM, CISSP, M.Sc. “An organization does well only those things that the boss checks or causes to be checked.” -GEN Bruce C. Clarke “The boss ‘checks or causes to be checked’ only those things which he deems to have value.” -Kim L. Jones The discussion started out innocuously enough….and frankly seemed like the start to a bad joke. “Fifteen security professionals walk into a bar…” I founded the informal CISO group in Phoenix many years ago, to allow local CISOs to network, share ideas, and commiserate about issues and challenges under Las Vegas/Chatham House rules. No vendors allowed (unless they’re buying the beer), and others allowed by invitation only. At one of these gatherings, one of our colleagues brought his friend: the CIO of a manufacturing company here in the town. He had a problem and was looking for advice and counsel from people who spoke and understood security. The basic issue was that the company was getting ready to sell their product into the federal space and needed to certify its operations against NIST 800-53 – a fairly exhaustive and comprehensive standard. While the sales strategy had been approved, the CIO was struggling with how to sell this initiative into a very freewheeling, innovative culture. As CISOs, we jumped at the problem and provided what we thought were good and reasonable answers. We talked of strategic alignment with the business objectives…return on investment…protection of intellectual property…shoring up overall confidentiality-integrity- availability within the organization…risk management…competitive advantage. To every solution we offered, the CIO responded with the same phrase: “I hear what you’re saying, but we value the ability to freely innovate in our company.” In the end, we were forced to fall back on requirements for market entry – in other words, compliance – as the only solution we could offer. This left the CIO unsatisfied…as it did me. Think about it for a second: fifteen senior security leaders with a combined two centuries of experience, and we weren’t able to come up with a credible and compelling answer to offer a senior technologist who was asking for help. I chewed on this problem for a long time, as to me it typified some of the conversations that we regularly have with business executives in our various roles. After several weeks, I realized the
26
Embed
Changing the Conversation - New College › sites › default › files › ... · 1 Changing the Conversation Articulating the Value of Programmatic, Holistic Security by Kim L.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Changing the Conversation Articulating the Value of Programmatic, Holistic Security
by Kim L. Jones CISM, CISSP, M.Sc.
“An organization does well only those things
that the boss checks or causes to be checked.”
-GEN Bruce C. Clarke
“The boss ‘checks or causes to be checked’
only those things which he deems to have value.”
-Kim L. Jones
The discussion started out innocuously enough….and frankly seemed like the start to a bad joke.
“Fifteen security professionals walk into a bar…”
I founded the informal CISO group in Phoenix many years ago, to allow local CISOs to network,
share ideas, and commiserate about issues and challenges under Las Vegas/Chatham House rules.
No vendors allowed (unless they’re buying the beer), and others allowed by invitation only.
At one of these gatherings, one of our colleagues brought his friend: the CIO of a manufacturing
company here in the town. He had a problem and was looking for advice and counsel from people
who spoke and understood security. The basic issue was that the company was getting ready to
sell their product into the federal space and needed to certify its operations against NIST 800-53 –
a fairly exhaustive and comprehensive standard. While the sales strategy had been approved, the
CIO was struggling with how to sell this initiative into a very freewheeling, innovative culture.
As CISOs, we jumped at the problem and provided what we thought were good and reasonable
answers. We talked of strategic alignment with the business objectives…return on
investment…protection of intellectual property…shoring up overall confidentiality-integrity-
availability within the organization…risk management…competitive advantage. To every solution
we offered, the CIO responded with the same phrase:
“I hear what you’re saying, but we value the ability to freely innovate in our company.”
In the end, we were forced to fall back on requirements for market entry – in other words,
compliance – as the only solution we could offer. This left the CIO unsatisfied…as it did me. Think
about it for a second: fifteen senior security leaders with a combined two centuries of experience,
and we weren’t able to come up with a credible and compelling answer to offer a senior
technologist who was asking for help.
I chewed on this problem for a long time, as to me it typified some of the conversations that we
regularly have with business executives in our various roles. After several weeks, I realized the
2
subtext of concerns that I and my colleagues were failing to answer. If I were to summarize the
between-the-lines conversation that was occurring, here’s what the CIO was really saying:
Security is counter-intuitive to the existing values of our culture
Implementing security requires us to change our culture significantly
The value/ROI gained by this implementation might not outweigh the values lost or impeded
by implementing security.
I’m not certain, though, because you have yet to articulate the value of security in a language
that I both understand and find compelling.
That last bullet is of particular importance. Despite the CIO’s high value on the culture’s ability to
freely innovate, this freedom did not include, for example, allowing new engineers to unilaterally
make a $1 million commitment on behalf of the company without appropriate process, checks, and
balances. Clearly there are competing values at play within the company that are viewed as having
merit to the leadership team. As security professionals, we failed to express the value of
programmatic, holistic security in a language and manner that was truly meaningful to the audience
(the visiting CIO) …
…and I would contend that this is often the case.
I am proposing that we change the conversation with our leadership to one of value and begin to
discuss injecting the security values which we champion into the DNA of our organization’s
operating models and culture. If we can have this conversation freely and openly, then discussions
around tactical implementation measures become less contentious. More importantly, we can now
move the discussion to issues of security versus compliance and the value of focusing on this larger
issue.
What follows is an attempt to define the values of a good security program in clear, easy-to-
understand language. I have also provided operational tenets and statements around those values
in order to promote and ease the conversation. It is my hope that this material can be used to change
the dialogue around security into a more constructive and thoughtful discourse.
The Concept of “Value”
The definition of “to value” is something upon which most individuals can agree. When you
discuss “the value,” though, things get a little fuzzy. Everyone talks of values and their import; ask
people to define what a value is and people tend to provide a circular definition which provides
little clarity to the discourse. For the purposes of this dialogue, I did some research into the topic.
I do not claim to have the be-all-and-end-all answers to this question, but hopefully my definitions
and terms can be seen as reasonably accurate.
At its most basic, a “value” is a concept that is fundamentally important to someone – with someone
being defined as an individual, group or organization. If I were to go to something a little more
3
structured, I would look to the definition offered by Dyer and Dyer: “a value is the embodiment
of what an individual or organization stands for.1”
Organizational values may either be stated or implied – and are usually some combination of both.
An organization or group may have stated values of Quality, Innovation, Integrity, and Customer
Service; however, there may be other unstated values such as Candor, Legality, Safety, and Speed-
to-Market.
Figure 1
The interrelation between values within an organization is always interesting. No set of values
wholly aligns with one another when operationalized; there is a healthy and (hopefully) supportive
tension between the values of any organization – though when stated and unstated values enter
into unhealthy conflict, it is usually the unstated (implied) value that wins.
1 Dhar, Santosh and Dhar, Upindor (editors). Value Based Management for Organizational Excellence. New Delhi, Indian Society for Training
and Development, 2009.
4
Figure 2
For example, if the stated value is Quality, whereas the unstated/implied value is Speed-to-Market,
organizations will more likely sacrifice quality assurance and testing in order to get their product
out the door faster.
Values are an important part of any culture, where culture is defined as “the philosophies,
ideologies, values, assumptions, beliefs, expectations, attitudes and norms that knit an organization
together.2” It is important for security professionals to remember that deploying or changing a
security implementation, by definition, changes the culture (even if only to a small extent). This is
why something as simple and straightforward as implementing a shredding policy or badging
policy can meet heightened levels of resistance within an organization.
Having a value is one thing, but what does this value mean in our day-to-day lives? Most
individuals and organizations create a set of operational tenets based upon their values which
allow us to take the somewhat esoteric concepts embodied within a value and provide us with
guidelines for action and behavior. If the value is Safety, for example, the operational tenet might
be “do it safely or don’t do it at all.” If the value is Quality, then one of the operational tenets
might be “there is always time to do it right.” Operational Tenets are the directional statements of
belief which are designed to directly influence behavior, attitudes, and outcomes within an
organization.
It is important to remember that every decision an organization makes is influenced by its
collective values. No organization or individual willingly acts against the totality of its values