Article Options

Resilient is the new secure - the evolution of business-relevant thinking

 
Wh1t3Rabbit| May 18, 2012
3 Comments

Every 10 years or so, technology undergoes a shift so fundamental that it changes the way we work, think, and behave.  The last couple shifts in technology brought us the personal computer, the Internet, the mobile revolution, and now the move to elastic (cloud) computing.  The shifts in technology have caused shifts in shifts in the way organizations and individuals think about security as well, and I believe right now we are at an interesting inflection point which has opened (albeit for a short time) a tremendous opportunity.  Security professionals have a limited opportunity to make sizeable changes in the way we behave and impact the businesses we serve ...the question is can we recognize this opportunity and execute on it.

 

Essentially, can we get out of our own way long enough to become meaningful?

 

A few months ago as I was writing slides for a conference I was speaking at, and in reviewing my deck I realized that I was stuck.  Everything was based around the idea that security was a goal ... when I really didn't believe it, and I got the feeling my audience wouldn't either.  Then like Newton's apple, it hit me.  I went through my slides and did a simple search and replace for security -> resilience.  Think about it for a second.

 

Security as a topic is very limiting with corporate audiences.  Obviously you and I care about security ... but the same level of passion doesn't extend into the business world where the goal is to, not surprisingly, grow the business.  In the last 4 years here, I can count on one hand the number of organizations we've presented to where security was one of the organization's core goals.  Rightly so - good security should be a component of what makes the organization successful but you can't expect 'security' to be a core goal.

 

Resiliency, on the other hand, speaks to core business needs much better than security ever could.  Resiliency speaks to availability, incident response, business continuity and disaster recovery, and security all rolled into one.  Resiliency is a measure of preparedness against  failure - a component of which is security.  I'm starting to think I should have changed my vocabulary years ago.

 

What does my lightbulb moment about resiliency have to do with the shift in technology we're undergoing right now?  I believe its the key to engaging in the new technology landscape.

 

For example ... cloud computing presents new capabilities in resiliency - from failure, from attack, and from general disaster.  What could have been a failed conversation about securing the cloud can be a successful conversation about making your business more resilient through the move to cloud computing.  Maybe it's just a a subtle change in terminology, but it's making a difference in the conversations I have and maybe it'll be effective for you.

 

In fact, I'm going to spend some time writing about Enterprise Resiliency and the components thereof over the next few weeks.  I'm curious what you think, and if think the simple change in the word we use can make any difference in how 'security' is perceived, understood, and accepted.

Labels: enterprise resilience| Enterprise security
Labels:
Comments
BryanOwen(anon) | ‎05-19-2012 11:28 AM
Options

Right on Rabbit...perhaps touting resiliency is no accident after the conceptual standoff you described in the SCADA Security post!

 

Resiliency is a winning strategy and is well considered in context of best of breed practices from IT and OT realms.

 

Information and automation technology may well be at an inflection point with respect to being hopelessly intertwined.  We need to work together build digtial fire breaks and really understand where and how automation should pause for a planned human response to cyber incidents. 

 

 

 

 

 

 

 

 

 

Michael Fornal(anon) | ‎05-22-2012 09:50 AM
Options

Raf,

I think changing the way we speak of security to especially to coporate leaders would make a huge impact. Changing the wording around and using resiliency, I think would help them to understand just what it is that we are trying to do for the organization. To many times when the word 'Security" is mentioned the heads turn the other way and what is said goes in one ear and out the other or we are accused of slowing down the growth of the business when in reality we are really helping to nurture the organization by keeping its sensitive information safe.

 

Thanks,

@fornalm

secolive(anon) | ‎05-24-2012 10:07 AM
Options

Brilliant idea IMHO. Talking about resiliency probably helps expressing the problem in business terms first, and business risks in particular, which will cover security (but not only).

 

Now we need to rename the security department to "resiliency department", renaming CSO to CRO in the process. Oops, guess we're not completely ready for this wording change :) unfortunately. (yeah yeah I know I'm being too cynical - again).

 

Joke aside, I will definitely think about trying to present things from this perspective.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 
Search
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About the Author(s)


Follow Us
Community Announcements
50 Must Read IT Blogs