Every 10 years or so, technology undergoes a shift so fundamental that it changes the way we work, think, and behave. The last couple shifts in technology brought us the personal computer, the Internet, the mobile revolution, and now the move to elastic (cloud) computing. The shifts in technology have caused shifts in shifts in the way organizations and individuals think about security as well, and I believe right now we are at an interesting inflection point which has opened (albeit for a short time) a tremendous opportunity. Security professionals have a limited opportunity to make sizeable changes in the way we behave and impact the businesses we serve ...the question is can we recognize this opportunity and execute on it.
Essentially, can we get out of our own way long enough to become meaningful?
A few months ago as I was writing slides for a conference I was speaking at, and in reviewing my deck I realized that I was stuck. Everything was based around the idea that security was a goal ... when I really didn't believe it, and I got the feeling my audience wouldn't either. Then like Newton's apple, it hit me. I went through my slides and did a simple search and replace for security -> resilience. Think about it for a second.
Security as a topic is very limiting with corporate audiences. Obviously you and I care about security ... but the same level of passion doesn't extend into the business world where the goal is to, not surprisingly, grow the business. In the last 4 years here, I can count on one hand the number of organizations we've presented to where security was one of the organization's core goals. Rightly so - good security should be a component of what makes the organization successful but you can't expect 'security' to be a core goal.
Resiliency, on the other hand, speaks to core business needs much better than security ever could. Resiliency speaks to availability, incident response, business continuity and disaster recovery, and security all rolled into one. Resiliency is a measure of preparedness against failure - a component of which is security. I'm starting to think I should have changed my vocabulary years ago.
What does my lightbulb moment about resiliency have to do with the shift in technology we're undergoing right now? I believe its the key to engaging in the new technology landscape.
For example ... cloud computing presents new capabilities in resiliency - from failure, from attack, and from general disaster. What could have been a failed conversation about securing the cloud can be a successful conversation about making your business more resilient through the move to cloud computing. Maybe it's just a a subtle change in terminology, but it's making a difference in the conversations I have and maybe it'll be effective for you.
In fact, I'm going to spend some time writing about Enterprise Resiliency and the components thereof over the next few weeks. I'm curious what you think, and if think the simple change in the word we use can make any difference in how 'security' is perceived, understood, and accepted.