[W]hether your business’ core competencies involve products, services or legally binding promises, delivery is a measuring stick that’s used to evaluate you.
Do you deliver what customers want ahead of the industry? Do you deliver it better or cheaper. Do you deliver a different experience; are you a boutique for your industry?
Regardless of what you’re delivering, if you aren’t dependable to your business associates, partners and employees then you’ll find that your customers aren’t the only thing factor making you successful. People upon whom your business depends (not just customers) are not exchangeable cogs. Whether you use well-defined and highly efficient processes to deliver faster or less expensively or whether you craft an experience for your customers that your competitors haven’t been able to duplicate you have a dependency on employees internally and partners, associates and contractors externally.
When your workflows grind to a halt because no one in your company can log into the systems that enable your business you can’t deliver … anything.
When your employees, contractors, associates and partners cannot trust you to secure their contracts, personal or financial information, business plans or visions for growing and protecting profits then you become ineffective.
[A] week ago Sony Pictures Entertainment (SNE) was outed by Guardians of Peace (#GOP) when the self-described hacker group changed login screens on all Sony Pictures computers (among other, more insidious activities). Media outlets appear berserk in trying to attribute this to North Korea or someone else this soon after the event.
My point is that regardless of the origin, it’s the characteristics of attack that matter. According to #infosec conversations investigators have cause to believe whomever hacked Sony was inside Sony’s electronic boundaries (their networks) for about 12 months, collecting data and planning how to cause the greatest damage. Hacks that were performed weren’t simply targeting data to steal, they were destructive at a very low level on the hardware and electronic bits.
If you have the inclination to sift through numerous reports on the incident you’ll find facts and speculation about what was taken and what was shared with anyone on the Interwebs (SSNs, salaries, business plans, unreleased movies, etc).
[I] decided I wanted to move from being a developer to being a technical lead because I had both programmed for years and I was tired of sitting around griping about how some technical decisions were made into which I had little input. I sought to move into more senior technical roles because as much as I like coding, I saw a bigger picture that includes business strategies, value statements and culture and I wanted to address those … a set of responsibilities that I couldn’t address as a developer or even tech lead.
As a technical architect, champion or whatever the new HR title is in the industry these days, I’m interested in helping people who need to understand that security, compliance and privacy issues are core competencies to the business and not commodities due to the complexity of applying them within the context of each specific business.
I read books, blogs and papers on business, management, audit, information security, risk and risk management. I listen to podcasts, engage peers via Twitter, email, forums, conferences and in person in efforts to vet and continually mature information security and risk management. It is a disappointment that almost universally I find infosec and audit peers saying that the only dependable way to achieve lasting changes in maturity is to wait for any business to have a significant enough breach event or public compromise of its resources so that the business is forced to seek direction on security and risk management.
I hope that growth in business isn’t like poor investing; chasing after yesterday’s winners while throwing aside solid principles that achieve positive long-term results. I’m concerned that immature business leaders (read “budget holders”) are running as fast as they can to whatever is getting attention today rather than establishing a business vision that leads their industry rather than following what everyone else is doing … as though anyone else knew their business any better than they do.
Security and Risk Management are business-enabling core competencies that cannot afford to be outsourced.
[su_highlight background=”#FFFF00″]Following is not leadership no matter who tells you that it is.[/su_highlight]
I’m betting Sony Pictures can attest to that right about now.