Why should infosec pros care about your business' competitive advantage (i.e. moats)? Lenny Zeltser raises the most important reason why:
Information security professionals often complain that executives ignore their advice. There could be many reasons for this. One explanation might be that you are presenting your concerns or recommendations in the wrong business context. You’re more likely to be heard if you relate the risks to an economic moat relevant to your company.
We have all been there. many times. On the other end of "but why does this XYZ vulnerability matter to my business?" Then you splurt out some cost per record breach number or some random data breach stat about some retail breach. Then the you get the same question again "but why does this XYZ vulnerability matter to my business?" Followed by a dismissive hand wave,
Lenny Zeltser is right, we do get ignored but we can do a lot better.
The best way that I have found is to ensure that security guidance is presented in the context of how it relates, positively or negatively, to your company's competitive advantage. Its moat.
Why does this matter to security? Security isn't game of counting and removing threats and vulnerabilities. Its much more important. Security is a game of survivability.
As Chris Hoff sagely observed: security is all about survivability now. Or recall Howard Lipson's surviability goals:
The mission must survive
Not any individual component
Not even the system itself
What could be more fundamental to survivability for a business than its source of competitive advantage, its moat?
Now all businesses do not have moats. In fact, most don't (if yours doesn't consider switching to one that does (just kidding (not really))). For the ones that do there are different kinds of competitive advantage. Morningstar and its important to be able identify the type and ideally measure your company's moat.
Along those lines, Morningstar just posted a video where their analysts go into some more detail about identifying moats and how they matter in practice. It runs about 20 minutes, but its well worth your time (and hey, its Friday)
Update: Nick Owen said it in < 140 characters
Harmonzing the above, there's a military saying that if you try to defend everywhere then you defend nowhere. Security architecture is about choice, and figuring where and who to defend. The moat around your business is the starting point for that analysis
Comments