JANUARY 20218 MANUFACTURINGTECHNOLOGYINSIGHTSIN MY OPINIONThe information security industry has been fundamentally broken for some time now. As a collective, the mantra is something like, "You've got problems? We've got solutions products."There, I said it. If you are in the industry, you probably knew this already. And yet, there has never been a security problem that has been solved solely by purchasing a product. We are continuously bombarded by news of breach after breach, followed by new messages in our inboxes offering to protect us from those same events if we just buy the newest Flaminator 3000TM appliance or service. What's the root cause of the cycle of fear-uncertainty-sales? Sure, there is the intuitive appeal of a silver bullet solution to the challenges we face. And doing security properly is rife with social, political and technical challenges. Security is hard. But that isn't it. No, the real cause is this: We don't know what better looks like.Imagine for a moment that any other business unit operated the way that Information Security operates.· No need to demonstrate an ROI. InfoSec is a cost center.· No supportive understanding of what the business is trying to achieve. InfoSec is viewed as a hindrance to business agility, and data provided is often untethered to business objectives.· No accountability. InfoSec has moved to the "assume breach" mentality, in part because it has been historically ineffective at preventing breaches.· No need to demonstrate efficacy. InfoSec is a "dark art" that motivates too often by fear rather than facts.We don't know what better looks like, because we don't know what matters to the business, and we don't measure the impact of Information Security on those things that matter. Instead, InfoSec too often attempts to show its value through measurements unmoored from anything the business cares about, and without any historical context. Look how many vulnerabilities we patched! Look at how many spam messages we blocked! Information Security is the provider of security services to the business; as our customer, the business is entitled to understand how those services perform and to demand continuous improvement in efficacy and efficiency. To achieve that level of accountability, we need radical transparency. We need a new model for information security service delivery.The model I propose is one that cleaves to the Google "Site Reliability Engineering" (SRE) model; I call it, "Security Resilience Engineering." SRE requires the negotiation of mutually agreeable service level objectives (SLOs) for all security services delivered to the customer and creating an error budget to monitor and manage against. Service level indicators (SLIs) are communicated WHAT'S THE ROOT CAUSE OF THE CYCLE OF FEAR-UNCERTAINTY-SALES?By Joshua Brown, Director of Security Solutions, H&R Block
< Page 7 | Page 9 >