Generally, as any start-up matures, the people working in it go through a professionalization process. Silicon Valley may be home to companies where jeans and flip-flops are the norm, but Mark Zuckerberg, Steve Jobs, and Bill Gates are examples of how managing rapid growth and taking a company public leads to greater levels of financial and organizational maturity, as well as hierarchy that echoes the structure of traditional businesses. This is logical – it’s one thing to be operating out of your garage when you’re still trying to find investors for your disruptive idea; it’s another thing entirely once your company is worth millions, if not billions of dollars. Achieving a level of operational excellence allows startups to scale.
Yet, this evolutionary process is not universal. Enterprise security culture, in fact, is a prime example where operational excellence struggles to emerge, despite the fact that in today’s business climate, all companies depend and need operationally excellent security. Why hasn’t this growth occurred?
Following the RSA Conference last week, I had the opportunity to speak with Amit Yoran, the chairman and CEO of Tenable, a cybersecurity company focused on helping organizations understand and reduce their cyber risk. We discussed the reasons for the slow emergence of operational excellence in the security realm, and he offered up his theory for why this problem exists and some guidelines for how companies can overcome it.
Security is about processes
Quality security is not just about the strengths of the locks and other mechanisms that make up the anatomy of a cyber security solution. (See my infographic for the details.) To complete the solution cyber security must also be about enforcing processes. Process discipline can be redundant and monotonous, but it’s how quality protection is implemented and solidified. Just look at the way the Secret Service or the military go about their security procedures – agents and soldiers are trained on how to do the same routines over and over to ensure safety.
Now think about the people who work in information security. They’re generally not people who have been successful by following orders and regimented schedules. As Yoran pointed out to me, “While a lot of security industry leaders have military or government backgrounds, many have risen through the ranks because they look at the world differently. They’ve thrived off of a creative mentality —the hacker mindset — not through disciplines that require and cultivate a skillset in operational excellence.”
It’s also about the rapid pace of change
Source: SANS ISC SecNewsFeed @ February 28, 2017 at 02:27AM