A business is in business to make money.
You and me?
We’re in the business of living life.
Don’t forget either of these points, now or when you’re doing your (information security) work. Personally, I get messed up sometimes, thinking I’m in the business of securing/protecting everything under the sun, forgetting to live life.
Protecting information is a good thing, even a great thing, but it’s not THE thing.
For-profit organizations are in business to make a profit. Non-profit organizations are in business to serve a mission.
It’s not that binary though, is it?
There are mission-driven companies, and there are non-profit organizations who rake in millions.
What drives your organization?
I can speak from experience on this. SecurityStudio and FRSecure, the two companies I work for, are both mission-driven organizations. They are for-profit companies, but it’s all about #MissionBeforeMoney.
Our mission? To fix the broken information security industry.
We serve out our mission by:
- Serving in our industry’s best interest. We seek partnership and collaboration with like-minded organizations, and we steer clear of bad-mouthing and destructive behaviors. We avoid and/or terminate relationships with organizations who aren’t like-minded.
- Serving our customer’s best interest. Always. Two things; don’t ever sell a customer something they don’t need (or the rumor is I’ll run you over with my truck), and stay product agnostic (selling products and consulting shouldn’t mix for us because there’s an inherent bias).
- Building solutions to fix real problems. Real problems might be difficult to solve, but it’s what we do.
OK. What about your organization?
If you work for a mission-driven organization, what’s the mission? If you don’t know the mission, then you’re probably not working in a mission-driven organization.
Pure money-driven organizations focus on money obsessively. They will sometimes compromise quality and/or doing what’s in the best interest of their customers to make more money. In reality, pure money-driven organizations are heartless.
Good thing though, pure money-driven organizations seem rare. Most money-driven organizations are a mix between money lust and mission.
Why this matters.
You work for an organization. If you want success in return for your information security efforts, you’d better align your efforts with the purpose of the organization.
- You must figure out and communicate how information security feeds your organization’s mission, and/or,
- You must figure out and communicate how information security will make your organization more money.
Both can be done. It’s work. But it’s worth it. You’ll serve the organization better, and you’ll be better too.
Business people think information security is a cost center and/or some necessary evil. It’s obvious. How many times have you heard:
- What’s the minimum we need to do?
- What’s the cheapest way to check the box?
- We don’t include information security in business decisions because it slows things down.
- We don’t have money to hire help.
- Etc., etc., etc.
It’s no wonder we don’t have “buy in” from the business. We’re not aligned with the business!
Every miss-spent dollar on information security is one less dollar for the mission and one more headache for the bean counters.
You’re in the business of living life, we all are. You might be someone who works in information security, or maybe you’re not. Either way, you’re still in the business of living life.
So, how does information security improve or make your life better? If information security doesn’t, why bother?!
- Passwords. No thanks.
- Scary things. No thanks.
- Extra steps. No thanks.
- More work. No thanks.
We need to figure out (for ourselves and others) how to position information security as something that improves life; something that makes life better. Information security is a life skill, and we’d all be more skilled if it was enjoyable and simple.
So, there you have it. “B” is for “business”. We need to make information security more “B” friendly at work and home.
Honorable Mention for “B”
- Basics – the basics of information security are what form the foundation of information security. Poor basics = poor foundation. Poor foundation = crumbling structure (or information security program). Most risk is found in missing (or broken) basics. Master them. If you don’t know them, learn them (book).
- Backup – bad things happen. What will you do when they do? No backup, expect to lose data (forever). Expect it because the time will come soon, and it’s never convenient.
- Bit – the smallest unit of data in a binary system, like your computer. Bits are cool. When they get together, they make bytes, kilobytes, megabytes, etc. Speaking of backup (previously), get all your important bits!
Next up, “C”.