This question came up during the Security 500 Conference last November, and it is still sticking with me. I don’t think you’ll find an easy or consistent answer. Often the answer to that question is “to protect people, property, information, reputation, etc.” But is that really the answer to what the role is? If that were the answer, then making all the decisions on how much to budget, what tools and resources would be needed, and how quickly they would need to be implemented to protect those assets would be security’s decision. Many conversations with my peers about security’s lack of resources would indicate to me that this isn’t the case.
So, if we don’t have the ability to make these decisions, what then is the role of security? Let me first propose that this is fundamentally a critical question and, as a CSO, I personally struggled with this for a long time. Knowing your role is important because it brings purpose to daily activities, it develops a working philosophy, drives strategy, and it may change how we perceive our own value for career satisfaction purposes. That’s true for not just security leaders, but anyone in the industry, at any level.
Often when that question comes up, the answer is that the role is “to manage security risks.” I think this gets us a bit closer. If that’s the answer, then using general risk management practices (such as ISO’s 3100 International Standard on Risk Management) as guidance, we would be delivering proper governance structures with clearly aligned roles and responsibilities, understanding asset prioritization, aligning and capturing risks to risk registers, and fleshed out a security risk tolerance level throughout the company that would drive security reporting.
I don’t really think the question of what security’s role is a complicated one. I do think that because our industry – at every level – cannot answer this question with consistency and back it up by consistent practice, it makes it hard for our industry to advance in stature. When we are not clear in our answer or practice, we’ll continue to struggle to get a seat at the table, get promotions, obtain deserved pay raises, align with the business, or demand the respect of being strategic thinkers.
Let’s use this as food for thought. Even if you are a young professional in this industry…what is your role? What is the role of the security department? Would your colleagues and business partners have a consistent answer? It’s different than the mission statement and different than then describing the role by pointing out tasks that have been assigned to you. It is a question we should have an answer to.
Next month, I’ll take a deeper dive into how to evaluate security’s role within the enterprise, and what you can do to influence it. In the meantime, join the dialogue on this topic by commenting at SecurityMagazine.com.