I agreed to write this post on one condition: I had to use the word "whither" in the title.

While "whither" is an odd word, the theme of this post is not: what end does a security program serve?

As Chief Security Officer at Mandiant, I find myself thinking in terms of three imperatives:

  1. Compliance is the starting point for many security programs, because the organization is required to meet certain standards in order to conduct business. Organizations that fail compliance may not be able to sign deals, or avoid penalties, or obtain licenses to operate. Unfortunately, too many enterprises think of compliance as a "ceiling" rather than a "floor." The compliance program needs to be sound enough to satisfy regulators, customers, and other stakeholders, but it will neither deter nor prevent focused adversaries.
  2. Once an organization is compliant, it should not consider that the end of its security duties. Compliance is an exercise in meeting requirements. Moving beyond compliance, some think of security as a "competitive differentiator." Inopportunely, customers don't select vendors because they perceive one as more secure than another. Not getting breached is a table-stakes issue for customers. Competitiveness does play a role, however.
    Competitiveness matters because keeping data out of the hands of adversaries lowers the cost of doing business. If an organization lets competitors steal data on pricing, or product launches, or other critical business events, it becomes easier for the competition to win in the marketplace. Security's role is to preserve the organization's competitive advantage by denying the adversary access to sensitive business data.
  3. Avoiding a crisis is the third component I consider when justifying my security program. A breach or other sort of severe incident can be both internally and externally disruptive. At the very least it consumes valuable operational and executive time. Rather than focusing on serving customers or improving internal processes, security and management teams waste energy and resources on fire-fighting. After surviving a security crisis, organizations are open to making changes to avoid similar experiences in the future.

For more ideas on ways to justify a security program, please visit taosecurity.blogspot.com to read my 2010 post "Ways to Justify Security Programs: 13 Cs."