On the Importance of an Information Security Service Mindset

Introduction

The operational efficiency and effectiveness of information security services within corporate environments has always been an important aspect of a professional information security strategy. Security technology needs to be actively operated in order to add value since technology itself does hardly add any value to the business. For example, a firewall which controls access to network segments must be operated actively by professional staff who is reviewing logs, adding, changing and removing rules etc. The firewall technology, by default, does not add any value, it is merely a means to an end. Solely through the operationalization a risk-reducing effect for the company is created.

While this isn’t fundamentally new, I believe that the information security industry hasn’t taken this aspect seriously over the last decades. One responsible player for this situation is the security technology industry, who constantly push the latest and greatest tech without considering whether it delivers on its promises or truly solves customer problems. Another example: Billions have been spent on anti-malware products and other security technology - and does it actually prevent companies from getting compromised? No - partially, at best.

I share the opinion that we strongly overrate the value-add provided solely by security technology. We put too much expectations into it without thinking through how technology adds value through solid operationalization that support the business objectives. Effective operational integration and thoughtfully engineered implementation are what transform a security tool into a powerful asset, rather than just another piece of expensive tech.

Living a Service Mindset

Looking at human history itself: Technology alone did hardly solve any of the fundamental challenges of mankind on this planet throughout the last hundreds or even thousands of years (e.g. peace, eradication of hunger, poverty, climate etc.). Hence, technology should be viewed as a means to an end, rather than the fundamental purpose. For information security organizations, the ultimate goal is to protect the brand by managing, mitigating and ideally reducing infosec risks in an efficient and effective way, not implementing only the latest fancy security tech.

(Security) Technology in the modern world is a service enabler - it helps to operate risk-reducing services that the business can benefit from. Without that technology (e.g. firewall), the service (e.g. perimeter service) couldn’t be offered and the associated network risks couldn’t get addressed.

Another argument in favor of prioritizing service over technology is: living a strong service mindset enables us to act in accordance with what metrics, KPIs, reports and statistics show us. It enables acting based on data and facts instead of assumptions and perceptions. In mature organizations, this is a requirement for control effectiveness and efficiency. But even more, we also enable our non-technical stakeholders to understand us better, meaning: we are getting closer to the business. And this is what the security industry ultimately should strive for in order to be taken seriously. We want to be seen as a business-enabler instead of an entity that primarily says No and acts as a cost center. Focusing on the customer and the service enables the CISO to tell a strong story based on data facts and use this information to communicate the value of the infosec mission and program. For example: “The perimeter service has been used X times by stakeholders in the last 12 months, leading to the following risk profile today.”.

It enables a shift from a technology-focused discussion (we need technology X to resolve problem A) towards a more service-oriented discussion (we need technology A to enable service X for supporting the business).

Conclusion

Information Security was never really only about technology although some of us, including myself, wanted it to be like this. Various infosec risks, which have been around since decades now, are still not addressed by technology e.g. phishing, malware etc.. So we, the infosec community, need to move away from justifying our existence through the technology we deliver with the intention to address business problems. Instead, we need to transform ourselves into a security service organization, backed up by strong and solid engineering that delivers solutions in a tangible and clear way to the business. This way of thinking aligns with the growing demand for CISOs and their teams to be more closely integrated into the business, moving away from a siloed, IT- and technology-focused mindset.