Information Security / Cyber Security / Operational Security / All The Security costs money. It’s too easy to just ask for more budget and spend away. We need instead to provide value to the organization with security. As the meat bags, we cost a lot to employ and cost more with years behind us and sometimes with letters after our names. The tools can cost anywhere from $2K/year or $200/head to $500K+/year or more. And you need the tools because no human can track/do/analyze/filter/protect it all. It can be more cost-efficient to scale with software than it is to increase headcount, but this will always be a balancing game between automation and human reason. And it’s a lot more fun to grab lunch with a coworker than an IDS.
So, how do we provide security value? We must move from a cost center and an RGB-ready insurance program to something the organization can market. Security needs to be an asset to the org and a way of eeking out an edge over the competition.
How do you become an asset that can edge out the competition?
I had a friend who years ago told me about an idea he had, and I think he implemented it at his org, but I don’t know if they’re still doing it today. He grew tired of his customers asking about the organization’s response to this vulnerability or that one being marketed as the latest and worst thing in the world, as he would have to write and then copy/paste so many emails. He wanted to do a subscription-based service where a customer could pay a small premium and access an area on the corporate website where such notices could be posted as available, and they could read audit reports, pentest reports, certification attestations, etc. I thought he was crazy (“sharing pentest reports??? Why don’t you just post them on a billboard” I would say). But over time, I began to see what he was doing, and companies now exist to do what he proposed.
To provide value to security you have to be visible and loud. You need a page or two on the corporate web page that shows what your program and hard work have done for the org. Show your certifications, show your pentest reports (at least executive summaries), and if you can (some tools can do this for you with a trust page — contact me if you want suggestions or introductions to my favorites), tie some sensors or tests into your environment and report on them automagically, showing compliance to this requirement or that one. Be proactive about sharing your policies insofar as your company is comfortable sharing — I would suggest policy names or summaries. If you’re confident (and you *should* be, despite your imposter syndrome) share some numbers around your management of incidents (or if you have none, knock on wood and share your sanitized tabletop takeaways).
You need to show that your security program is a living, breathing entity, and it’s something to be proud of. Research your competitors as best you can (I’ll talk about some OSINT stuff in a future post), and do it better. When you have identified something you’re doing better, take it to your marketing team and let them spin it for you. I’ll warn you though — once you start doing this, you must keep doing it. So figure out how to move that needle, even if just a bit, and make it seem as big as possible.
If you can convert your program from a cost center to an expense of doing business (think about that difference — it’s important) and something your marketing team can use, then you will truly be bringing value to the organization in a way that is more than just letting you sleep better at night. You’ll never be as valuable as the sales team, but you can certainly be more marketable than some other departments (I’m looking at you, finance *tthppbbpptthhttt*)
0 thoughts on “Adding Value to Security”