Friday, April 10, 2009
Explaining Security to Business People
The vast majority of IT security professionals in large enterprises don't usually interact with the business community and therefore don't know how to convince them that well-established encryption algorithms, well-established key exchange protocols, etc, will be much better than whatever homebrew scheme they cook up themselves in a couple of meetings...
Not invented here is a common attitude in many enterprises when it comes to many things but security is even more challenging in that it requires others to acknowledge that their thinking is incomplete and adhoc schemes are not enough before they are willing to spend time and effort to quantify additional requirements.
Security is a business issue and many decisions should be made by business people, however there is no framework that helps business people who generally aren't as passionate as IT in seeking enlightenment to participate and make informed decisions. Imagine what would happen if business customers came up with their own scheme to implement either disaster recovery and/or high availability? They will probably come up with ways that are either expensive and ineffective, or simple and ineffective. There are many ways to handle HA/DR requirements but usually you have to specify the need before you can decide how to do it.
So, what are security professionals not doing that HA/DR types have figured out? Maybe this can be a conversation at an upcoming OWASP conference?
| | View blog reactionsNot invented here is a common attitude in many enterprises when it comes to many things but security is even more challenging in that it requires others to acknowledge that their thinking is incomplete and adhoc schemes are not enough before they are willing to spend time and effort to quantify additional requirements.
Security is a business issue and many decisions should be made by business people, however there is no framework that helps business people who generally aren't as passionate as IT in seeking enlightenment to participate and make informed decisions. Imagine what would happen if business customers came up with their own scheme to implement either disaster recovery and/or high availability? They will probably come up with ways that are either expensive and ineffective, or simple and ineffective. There are many ways to handle HA/DR requirements but usually you have to specify the need before you can decide how to do it.
So, what are security professionals not doing that HA/DR types have figured out? Maybe this can be a conversation at an upcoming OWASP conference?
