This question, in short, summarizes my theme for the year. In chatting with a friend of mine a couple weeks ago (see his article "Move your security career forward by looking back") it occurred to me that I need to look back at what I've been doing and think about how I'm adding value. My short conclusion is that there's very little true value to be found in much of what I've done of late. Sure, my customers are happy, we've completed projects, and we've kept other projects moving forward, but to what end? In all the hustle and bustle of things, are we really make a measurable difference? And, as my friend Erin used to tell me back in my brief hay-day as a security director, all the theory in the world doesn't mean much if you can't actually show what you've done.
Overall, I'm coming to believe that we've worked ourselves into a corner. We have great movements like Security B-Sides, but at the same time it seems like we're just talking loudly in the echo chamber. What are we doing to reach outside the community to, ya know, the people who actually need to do a better job with security? While I think there's potential value in revolutionizing the security industry, it only makes sense to do this if it helps us achieve our goals outside the industry.
I had a really long post started to cover my thoughts on this topic, but then I realized, half-way through, that I wasn't adding much value, just a lot of words. Instead, here is a shortened attempt at hitting some of my thoughts.
* What is value? First, I wonder how we define value? Or, how do we define success? Today, we're more often than not stuck with the old broken "perfect prevention" mindset. This seems, in part, to be human nature. Look at the response to the Tucson, AZ, shooting of Rep. Giffords and all those seeking to blame a single, simple cause. Gun control, reduced inflammatory rhetoric using violent allusions, or even increased personal security will not stop a crazy person from doing something unexpected, even if you expect it. The real question I have is this: did so many people need to be shot, or was there a failure in detection and response? We see the same problem with TSA, and with people in general. Until the survivability mindset becomes pervasive, thus allowing us to have a reasonable measure of success, we will not be able to adequately represent value. We cannot afford to continue trying to define value in terms of an unachievable definition for success. Instead, starting with a notion like survivability, we can then start to identify where we're adding value by improving monitoring, detection, response, and even to a small degree, prevention. Value will be those activities that demonstrably contribute to goal achievement.
* Is there an echo in here? The echo chamber is an increasingly dangerous thing. If the same people are saying the same things to the same audience, then where is there room for innovation and progress? As much as I appreciate the plethora of security events these days, it concerns me that we're also seeing many of the same people talking about the same things over and over again. It's time to get outside the echo chamber and meet the real constituents who are, incidentally, also paying your bills/salaries. If you're not adding value in their eyes, then I think we have demonstrated a major problem. Consider it another example of the Human Paradox Gap in action, except this time it's infosec people making decisions that impact the business with very little decision-impact connection. D'oh.
* Whom do we serve? If you're looking at adding value, then I have to come to one specific point: who gets to decide whether something is of value? That is, who is the customer? If we're just tossing stuff back and forth and writing for each other in this industry, then I submit that we've gotten off the right path and are failing (badly). If we cannot point to people outside the industry and show how we are adding value to their roles, responsibilities, businesses, etc., then I think we're not adding value at all, plain and simple. The only caveat here would be research, which should be free of some of these constraints.
As 2011 starts getting up to speed, I challenge all of you to ask the simple question "How does this add value?" with everything you're doing. If you can't answer it - even with something weak like "it gives me a chance to socialize with friends," then I submit that you should likely reconsider. I'm using this exercise to evaluate many things this year, and my conclusions thus far have been to reduce the number of conferences I'm interested in attending. I'm choosing things like personal vacation over other events like Black Hat and DEFCON, and I'm actively seeking to alter the places where I'd like to speak. It's not enough to cajole the industry into changing and becoming a bit more sane. It's time to leave the echo chamber behind and get into the field to start understanding peoples' needs and actively work to address them.
Comments (1)
Excellent post. IMO, it's difficult to demonstrate value until you treat security as an IT service. Services delivering resilient IT (app, device, net mngt), efficient access, informing biz owners to make the right decisions (compliance, consumerization, cloud, social media, etc.). We should be able to define our services and show how much they cost. Demonstrate effectiveness through measurement and ask the biz if they're getting value for the cost. It's amazing how a little process management demystifies security services for stakeholders. What's the % of incidents from basic, preventable vulns? Where's the echo chamber for management vs. implementing tech :-)
Posted by Jared Pfost | January 13, 2011 12:10 AM
Posted on January 13, 2011 00:10