(Just between us) No one cares about security... GRC helps though
Let's be serious now... no one cares about security.
Of course, YOU care. IT cares. Dev probably cares sometimes, but outside of that, who cares?
Just think about it. Outside of some curious souls, who cares about log4j?
What shook the security community did not impact anyone else.
We are all living in a massive filter bubble.
The ability to follow people you have common interests with (let's say... security) is probably the worst way to understand how your coworkers or the general public thinks about what you do.
If your timeline on Twitter is a log4j alumni get together, then you have no idea how your colleague from finance's timeline looks like. They probably don't follow accounting related accounts, let alone @SwiftOnSecurity.
I think when we work in a particular vertical, especially when it has made the headlines recently, we inflate our importance/criticality to the business.
It's like saying accounting became important after WorldCom and Enron. It kind of was before and still is. Having it under scrutiny of regulators did not change the fact that payroll might still be relevant.
Security's aim is to be non-existent. Being secure is a state, not an end goal. Areas that maintain an environment for a business to be enabled have to be cost-centres as a starting point. It is then that you have to convince your added value. If it was self-evident you wouldn't have to convince anyone...
So (if you agree with everything that was said), no one really cares.
Does GRC help though?
Yes because, believe it or not, what people care about outside of security is exactly what GRC does. GRC is built to interact with all of the stakeholders that are external to security but critical to security's goals.
Who cares about Governance?
Do not bother us but show us everything is run well, that we have policies and standards that no one reads but that we can use to build a case for someone. When is the steering committee again?
Who cares about Risk Management?
Do not bother us but tell us for what projects you will need resources next year and that when we give you money, our security posture is better and communicate that clearly please.
领英推荐
Who cares about Compliance?
Do not bother us but remind us again if external accreditation bodies have certified our systems and if we can conduct business with customers with a reasonable assurance level.
TLDR: Just keep us in the loop.
Let's try this one, who cares about Container Security?
Me, you probably, the Infrastructure/Cloud security team, DevOps, Backend engineers and that's probably it.
Does any non-technical stakeholders not already involved in security care?
No.
But my company loves security
Not everyone works in Technology companies, out of them not everyone works in software companies, out of them no everyone works in established company where staying in business is more important than getting new business.
Our bubble makes it a lot harder to understand how security is practiced where 95% of practitioners work.
You don't really have a say in the tyranny of now (and money)
You are a small piece of a massive puzzle called: a company
Conclusion
GRC definitely helps. Maybe the right kind of GRC, or the right type of individuals, but it helps.
It helps because it lays down the foundations to build the "Why" we should care more about security. As Simon Sinek likes to say, a "Why" is the key to build traction and modify the culture around security.
Kind regards,
I think???feel | read | write | speak | talk to myself, | talk to people, | sing, | strum strum strings | tap keys | tap screens | tap temples | Drink | eat | absorb | Discard????????????????????♀?????????
2 年Ayoub Fandi "Security's aim is to be non-existent. Being secure is a state, not an end goal." ?? Bravo Ayoub, Bravo!
Global Director Alliances, Strategic Initiatives, Super Connector
2 年Once upon a time, maybe even 3 years ago, I would have completely agreed with this article. Our reality has changed in that time and now I think this needs to be rewritten. People do care. Remote people care even more as they realize their own houses have been targeted to provide bad people with footholds into their livelihoods. So, I’d rewrite it for the new reality. Decision makers and check writers are in a different place now. Get out and talk to them.