As an industry, I think Information Security has quite a bit to grow. We have better tooling, more advanced reporting, a wealth of ever increasing metrics and data points to analyze, yet we are still stuck with some of the same outdated perspectives which have worked against us. If you were to ask most people what security actually is, they would be likely to respond with something along the lines of "protecting information from cybercrime." This serves as a bit of injustice to the industry, because it creates an artificially narrow scope and this can often influence the stake holders and decision makers who are responsible for supporting the industry. Information Security has many facets, each requiring varying approaches, tools, and mentalities. It would be far too compromising to try and cover all of that here, so although personal security is just as important, I want to specifically focus on enterprise security.
Before we go any further, I feel the need to address the cyber issue. As security professionals, I think we all have the tendency to cringe when people use media buzzwords like cyber. But we should be careful. Security impacts everyone, even those who don't understand it or our industry-speak. What's important here is effective communication, even if it means using words we probably are adverse to. Let's face it: we've lost the "cyber-war". Cyber is here to stay, and if we waste precious time and energy debating whether or not we should be using these buzzwords rather than focusing on effective communication then we're going to lose a lot more.
This brings us back to the injustice of perspective. Information Security isn't simply some rat-race against cyber criminals. It is an abstract which affects everyone across all departments. Security should have a broader audience than just security professionals. There is a rather pervasive legacy perspective which sees different organizational teams as individual silos working on their own pieces of the puzzle. While there is some merit to this in specific applications, it ignores the greater objectives we are trying to reach here. Security needs to be accessible to the largest possible audience across all teams to be successful. An organization's security models should incorporate an inclusive philosophy into their designs. This is crucial because of what effective security impacts beyond cybercrime.
Most people may not even be aware that Information Security is built upon 3 pillars (our security principles): Confidentiality, Integrity, and Availability. The truth is, these are operational missions with far reaching impact on multiple departments, teams, and organizational units. I don't really see Information Security as a separate silo here, but rather a particular discipline of an Operations team. This is not to say that we don't need dedicated security professionals and that Ops should be handling everything. More precisely, I mean that we should break down these silos and integrate teams more meaningfully. Security should be working in tandem with other teams to make sure every part of our data pipelines has a place within our security lifecycles. Operations holds the largest reaching link to disparate parts of the organization, and can maintain a deep level of introspection spanning technology, business operations, and policy that is hard to find in other organizational units. By integrating Information Security here, we create an opportunity to build security lifecycles around our existing business processes. The role of a security department shouldn't be to replace or override the functions of any other department, but to supplement them. If done properly, security teams shouldn't be creating friction for other teams but creating meaningful, productive paths that other teams can leverage to increase their security postures.
In the end, enterprise security is not about hardware, stacks, or systems. This is about providing the security our business needs to be successful in its mission while accepting the lowest risk profile we meaningfully and reasonably can. That can be a hard point for many to understand (even across different teams.) Often, there is a prideful desire to implement the most encompassing and complete environment one can theorize. Perfect security, so to speak. Such attempts are rarely rewarded. We are more likely to see debate of the perfect lead to impractical expectations and divides. What we need instead is a translation of the impact of security risks measured against the business goals. How do these risks impact liability, compliance obligations, or loss of assets? (Assets don't simply have to be tangibles like revenue, but could be customers or reputation.) A balance between acceptable risks and reasonable security models will often be far more productive and rewarding.
Integrating Information Security teams into your Operations teams also provides an accessibility benefit for management. The traditional roles cast for security professionals as "No"-sayers and task generators doesn't foster a productive work environment. Executive management already has a firm understanding of the concrete values an Operations team brings to the business. As an extension of Operations, functioning within this role, a security team's value becomes concrete by association. These values are more likely to be understood and accepted by executive management and stake holders.
The evolution of Information Security into an Operations core is absolutely necessary for its healthy growth into future domains. Adversaries don't care about silos and boundaries, it's far passed time be do something to transcend our own.