Well, this is the second version of this blog after a wise client of mine gently reminded me that I needed something fresh. You see, my first attempt was more of the same message I have been preaching for the past several years that InfoSec professionals need to be more like business leaders instead of technologists. That message is still very valid and needed, but it has been done and now is catching on with many professionals around the globe. So, let’s change direction a bit…with a question…

Where is InfoSec’s Steve Jobs?

The same sage client pointed me to a great blog titled “If You Were the Next Steve Jobs…”¹. The author of this piece does a wonderful job capturing the essence of what was different about this great innovator versus some of our traditional management approaches, but how does this relate to InfoSec?

It seems that InfoSec’s approach to solving the problems that justify its existence is to only focus on threats, vulnerabilities and risks. While I don’t want to trivialize those as they are critical…what about our customer? I believe we have lost touch, if we ever had it, with our main customer. There may be some debate about who is really our customer, but I believe it is the organization of which we are part and its stakeholders. And, in losing that touch with the customer, we have made our “products” way too difficult and complex to be truly effective. We always say that the best security should be transparent to the user, but looking around us today, do you see that?

For example, the user’s experience with security comes most directly from their workstation. Today’s workstation is continuously being assaulted by security “stuff” (user term) as much as by its “attackers.” The end user experience is filled with constant updates and restarts, CPU choking anti-virus and personal firewalls, and don’t get me started on password complexity. Is there any doubt why security has a negative image in the minds of so many? We have to change our approach to remember that the customer experience is still paramount and our battle cannot be won without the support of others. Human nature would show that people don’t support you if they don’t like you. Today, InfoSec is probably not liked in most organizations…

So, what to do? We still have to focus on the ever changing threat environment many times feeling like we have brought a knife to a gun fight. We have an amazing challenge in front of us, but with that comes an amazing opportunity to “change the world.” I am very hopeful that InfoSec’s Steve Jobs is out there right now crafting something truly remarkable…

____________________________

¹ http://blogs.hbr.org/haque/2012/09/if_you_were_the_next_steve_job.html

Post by:

Thomas Lewis, QSA, CISA, CRISC, Partner-in-Charge, LBMC Security Services, Office: 615.309.2296