Why do IT Security specialist need to know and understand business, finance and return of investment to a certain extend? Why don’t security people do their homework by just installing a security solution and firewalls? After all who cares?!
Have you ever seen a security consultant entering an organization, going directly to the IT room, starting to ask questions from his predefined check list “Do you have FIPS Compliant encryption?” , ” Do you have a compliant firewall in place” , “Let us purchase this and this”.
Even worse, when you decide to do your homework and purchase a security solution and ask for money to secure your network, the people who write the checks may refuse to spend money on something they do not understand. They do not understand technology and why should they spend money on something they cannot digest or feel. “Wow, do you want me to spend money to be what?? Secure?!! Who cares” says the CEO.
I will start by talking about a strange fact for most of IT security specialist, and that is: “In order to be a successful security specialist and do Risk Assessment, you need to know about both technology and also business. A lot of technology and little of business”
A lot of people will simply forget or chose to ignore the need to know the business of the organization. They just install couple of firewalls and build a security solution, without knowing much about the business they are trying to secure. Believe me when I say, this is one of the biggest and most common mistakes happening all the time.
Firs of all, do not forget that IT exist to serve business and get money. In fact, we are here to serve the business and not the other way around. People who will pay money to purchase and implement security solutions are business people, and they need business justifications in order to spend money. It is not going to mean anything if you say “I need money to make the systems more secure”. For a business person, okay who cares! Do you want me to spend money for something that I cannot see or touch or even feel?
Instead, you can simply say “we are going to purchase a firewall to prevent hackers from stealing business trade secrets. Not doing that will cause us many financial and legal issues”. Now you got their attention when you start talking about business loss and impact. That is, you should provide business justifications and return of investment for spending money on security and what is the cost of not doing that. In other words, you shall start learning the concept of business “Risk” and “Risk Assessment”.
Not only that, if you do not know what the most valuable assets for the business are, then how could you know what to protect or what to protect most? If all what matters to a business is their contact information that exists in a file share, and losing those contacts can cause big damage, then it is not practical for you to put all your security measures on the company’s web servers that are holding the company static web site, and losing those web servers will not actually affect the business that much.
I cannot emphasis how important to study the business from an IT security angle in order to understand what cause the business financial loss, reputation issues or even legal loss. Knowing those business risks, will be your drive as a security specialist to start mitigating those risks from IT perspective and directing IT cost in the right direction.
To summarize this, IT security specialist should study the concept of Business Risk and how to mitigate those risks by implementing security solutions. Knowing what causes the business to lose money or reputation, should be your drive to focus your efforts on what to protect or what to protect most.