At a recent security conference, a couple of old cronies sat around the lunch table like crusty baseball veterans on the bench at spring training. I couldn't help but overhear them reminiscing about the good old days when security was security. It was about the hardware, overcoming proprietary mindsets and making an access control system work, come hell or high water. It was about treating your guards right and scouting for that up-and-coming ex-cop who had the right stuff to eventually step into the show.
Nowadays the security game has gone soft, said one fellow. It's all about business models, software, return on investment, mitigating risk and boardroom buy in. And worst of all, chimed in another compadre, we're now expected to team-build and cooperate with other departments. I could see his skin crawl as he spit out the words.
What's a security professional to do? Well, according to security's new breed, you play the game by the new rules or don't expect to see your name on the roster.
"Senior corporate execs think only in three ways: people, money and information," began Steve Hunt, CPP, CISSP, the founder of 4A International, a security consulting firm based in the Chicago area. "The first business message most CEOs got right after 9-11 was there was too much waste in their security departments. They realized very quickly that most physical and IT security managers had never even met."
Hunt said that when you are trying to sell security to C-level execs, your best tactic is to never talk security. "You want to call it 'operational business risk' if you really want to get their attention. Security is never the point in business anymore. The company doesn't want security as much as it craves financial stability, operational stability, and most importantly, compliance," Hunt said.
Greg Akers, senior vice president and CTO for global government solutions at Cisco, stressed that the security process must become proactive. At the recent Corporate Security Roundtable, sponsored by SIA, Akers discussed several of his guiding security principals. The most important of these was that you can't secure what you don't manage, and you can't manage what you don't measure; therefore, you can't secure what you can't measure. Simply put, make sure you have an accurate accounting of your security risk. You must quantify and qualify data, then prioritize your areas of risk.
Again, here we have simple business principals being applied to security. In baseball terms, the ball may be the same, but the pitch is certainly different. So what is a security professional to do? My advice is, take more batting practice!
If you have any questions or comments for Steve Lasky regarding this issue or any other, please e-mail him at [email protected].
Steve Lasky | Editorial Director, Editor-in-Chief/Security Technology Executive
Steve Lasky is Editorial Director of the Endeavor Business Media Security Group, which includes SecurityInfoWatch.com, as well as Security Business, Security Technology Executive, and Locksmith Ledger magazines. He is also the host of the SecurityDNA podcast series. Reach him at [email protected].
