What is Nonsense Security? It is a security plan or program without enough business sense in it. Sometimes the business sense element is called business alignment, but to be truly aligned with the business, the business stakeholders and decision-makers have to see the business sense in the security initiatives.
To get things done successful businesses define clear objectives, prioritize them, assign the right resources, measure progress and make changes if needed along the way to get the intended results.
That’s not always the case with security programs. They often focus on “continuing on”, with the intention to maintain existing program elements as opposed to moving towards specific program objectives. Fredrich Nietzsche expressed it this way:
“Many are stubborn in pursuit of the path they have chosen, few in pursuit of the goal.”
Risks change. Businesses objectives and concerns change. Thus the risk profile either improves by plan and action or backslides by neglect or lack of initiative. A static security program drifts away from business relevance, either slowly or quickly, depending upon the rate of business and risk change.
Priorities
What is your #1 security priority? What are the next two most important security priorities? What resources are assigned and scheduled?
An objective or initiative is not not truly a priority until resources are assigned. You can’t usually assign resources or get them assigned without being able to weigh the importance to the business, and express it. Plus there is the fact that being the top security priority doesn’t make something the top business priority. So where does security fit into the whole business picture?
Consequences
The purpose of a risk assessment is to identify and express the risks in context of the business. It may take a few people a few days or a few weeks, depending upon scope, if you haven’t done a risk assessment recently.
Without it, you may be flying blind, guessing or hoping that what is being done is the correct thing for today’s business and risk environments.
If you already know where you stand today, and what your priorities are for the business tomorrow, that’s great.
If you don’t, invest in better security by putting more business sense into it. Determine the objectives that make business sense, prioritize, and move your security profile closer to where you want it to be.