Security governance

I was recently thinking about the nature of business and questioning some of my assumptions. I’d like to share a bit with you.

It seems that organizations want to maintain close relationships with their customers, and those customers expect certain unwritten rules to be followed. These rules are so obvious that they’re often not consciously considered as anything beyond the background of our daily purchase decisions. Even so, I think it’s fun to look at this.

As customers engage with organizations, they expect a certain level of respect in exchange for the money they’re giving. They want the product or service to be provided at the level of quality they had in mind, to be provided in a courteous way, and to have their personal interests protected.

Essentially, customers expect these organizations to act respectfully and in accordance with their interests. They want follow through on promises in a predictable and consistent way, products delivered with timeliness and quality, and the integrity of the transaction protected. These make people feel secure in doing business.

Put another way, people will only give you money if they feel secure you’re going to give them something of value in return. It’s not enough to give them the product and move on. The product must perform as they expect, they must believe you’ll stand behind the product, and they must be treated respectfully throughout the transaction.

Essentially, customers must trust you. This allows them to feel secure and builds the basic willingness to do business with you. If we think about it, this makes security a characteristic of a trusting customer relationship.

This is not so much the security that keeps people from doing bad things, but rather that which comes from a predictable outcome borne from a rules-based transactional structure.

So what does this have to do with computing?

We recognize that computing is often strategic to organizations’ customer engagement, as it’s used to ease purchasing, improve customer service, and streamline communications. And of course customers expect these computer systems to provide the same (or more) trustworthiness as an in-person transaction.

Yet I’ve seen substantial room for improvement in many organizations.

Instead of ensuring a consistent and safe experience, I see halfhearted stabs at security focused on keeping auditors happy. Instead of computers respectfully protecting customer data, I see systems with little operational discipline. Instead of a holistic structure that aligns to the needs of the business, I see technicians applying security controls with no concept of the overall goal. And worst of all, I see security technology that inhibits customers and the organization for no real reason.

This happens when IT organizations approach security as something they have to do instead of a business enabler. This behavior drives a minimal level of attention and investment that results in insufficient and limiting security. Security becomes window dressing to make managers happy, not a means to protect or enable customers and the business.

So ultimately, misaligned security hurts customer relationships because it’s ineffective, constrains business value, and acts inconsistently with customer trust. This leaves business leaders and customers frustrated while bad guys exploit security weaknesses to gain advantage.

We must transform the perspective that security is only about keeping bad people out of things or complying with regulations. A first step towards fixing this is reconsidering security’s very nature.

Instead of considering security as defense and compliance, I believe we should consider it as a quality of both an organization and its computing systems. Security should be a quality assurance function rooted in delivering trust to an organization’s stakeholders.

Next time I’ll talk about how to consider computing (and security) from this perspective of quality.

Security governance has become a hot term within the IT industry as people awaken to security threats presented by the internet. Yet the meaning of this term varies depending on whom one talks to, which often leads to confusion.

One meaning pertains to the application, maintenance, and continued risk evaluation of people’s access to information within an organization. This is about answering “who has access to what, why do they have it, and what have they done with it?,” which is a component of a compliance programs for regulations like SoX, HIPAA, and PCI.

In this context, governance is about enforcing accounting-style rules within IT environments to ensure proper data access. At a higher level it helps ensure legitimate system use. This is a useful and necessary process so information consumers stay on the straight and narrow. It is also how the IT industry most vocally discusses security, especially with regulated businesses.

However, it is a mistake to believe these processes, and regulatory compliance overall, is sufficient to ensure system security. There are numerous examples of regulation-compliant organizations that have fallen victim to massive hacks, clearing demonstrating this point.

I believe it’s more useful to regard security governance as an approach, structure, and rules for stewardship. Effective governance should protect an IT environment from unexpected behavior, be it human or technological, with the goal of protecting the organization using this technology.

It’s useful to think of this stewardship-style of governance like parenthood. A good mother or father wants to know how their child is behaving and who they’re spending time with. Rules are set to keep this behavior within acceptable boundaries. Hopefully these rules will be backed by teaching of good values so the child is motivated to good behavior and not to hurt others for personal gain. They should be effective at detecting, responding to, and hopefully preventing undesired behavior but not so onerous that they prompt rebellion or crush the child’s life.

I’ve found that the most effective organizations take a similar approach to IT security. They understand their business goals, how they’re IT supports them, the risks presented to the IT environment, and then match their security governance program to protect against those risks. This motivates people’s “good behavior” while discouraging any desire for harm. Effective organizations also take advantage of IT security to drive top-line revenue and lower bottom-line cost, even as the IT environment is well protected.

Security governance as regulatory compliance – the approach software companies and consultants find easiest to sell – helps with some aspects of data protection. Security governance as stewardship enables the organization, even as it’s protected. It takes additional effort, not least in aligning the organization to these goals and in finding people with the right perspective to assist. I’ve found it’s always worth the effort though.

You may enjoy the wonderful article at https://gizmodo.com/snake-oil-salesmen-plague-the-security-industry-but-no-1822590687 about the challenge of getting people to take security seriously.

In the end, it falls to each organization to determine the results they’d like and the approach they’d like to take.

Security As Trust

The Myth of Security Governance