“Dave, what’s your secret!!” - I said to my Security Director customer
Dave is the security director of a company that processes nearly 200 million transactions per year!
“it seems like you have a very good relationship with your development team,”
“You guys are always on time fixing most of the vulnerabilities we uncover” - I continued
Dave looked at me and laughed :)
Sensing that Dave does not want to let in easily, I continued:
“Dave, you have 5 product lines, how many dev teams are there?” - I asked
“8” - Dave answered with a smile
“You guys must have a great culture internally” - I asked
“Not necessarily!” - Answered Dave nervously
“You don’t report to the CTO, do you?” - I asked
“No, I report to the CIO” - Said Dave
“What’s your secret then?” - I said
“I explain what happens if we didn’t fix a particular vulnerability ” - He said
“Tell me more!! U mean what an attacker can do!” - I said
“No, they are immune against the attacker angle” - He said
“How then?!” - sensing a gem coming from Dave
“I know where as a business we are hurt the most, and I use that to explain the consequences” - He said
“I still don’t understand” - I said sensing that Dave might be looking to protect his secret
“For example, I know it costs us $100,000 for every hour of downtime, so I simply tie a vulnerability that has a side effect of denial of service to this number, all of a sudden the conversation is not about IF we fix it, it is about WHEN and HOW we fix it” - said Dave
Looking at Dave as he just invented fire!
“WOW, interesting, how did you get the $100k figure” - I said
“It took some digging, some conversation with DevOps, some peaking into contracts but it is not hard to get once you know where to look”
Here are my takeaways from my conversation with Dave
1- Technical risk is only appreciated within the security community, Business risk is universally understood within the organization.
2- Communicating business risk based on technical risk is so underrated. It sounds so simple, but very few security folks do it.
3- Security is not a goal in itself; it supports business goals, and we need to act as such.