Can We Talk? Finding A Common Security Language by Jason Polancich.
From the post:
Today’s enterprises, and their CEOs and board members, are increasingly impacted by everyday cybercrime. However, despite swelling budgets and ever-expanding resource allocations, many enterprises are actually losing ground in the fight to protect vital business operations from cyberharm.
While there are many reasons for this, none is as puzzling as the inability of executives and other senior management to communicate with their own security professionals. One major reason for this dysfunction hides in plain sight: There is no mutually understood, shared, and high-level language between the two sides via which both can really connect, perform critical analysis, make efficient and faster decisions, develop strategies, and, ultimately, work with less friction.
In short, it’s as if there’s a conversation going on where one side is speaking French, one side Russian, and they’re working through an English translator who’s using pocket travel guides for both languages.
In other business domains, such as sales or financial performance, there are time-tested and well-understood standards for expressing concepts and data — in words. For example, things like “Run Rate” or “Debt-to-Equity Ratio” allow those people pulling the levers and pushing the buttons in an organization’s financial operations to percolate up important reporting for business leaders to use when steering the enterprise ship.
This is all made possible by a shared language of terms and classifications.
For the area of business where cyber security and business overlap, there’s no common, intuitive, business intelligence or key performance indicator (KPI) language that security professionals and business leaders share to communicate effectively. No common or generally accepted business terms and metric specifications in place to routinely track, analyze, and express how cybercrime affects a business. And, for the leaders and security professionals alike, this gap affects both sides equally.
I think John’s summary is one that you could pitch in an elevator to almost any CEO:
In short, it’s as if there’s a conversation going on where one side is speaking French, one side Russian, and they’re working through an English translator who’s using pocket travel guides for both languages. (emphasis added)
John has some concrete suggestions for enterprises to start towards overcoming this language barrier. See his post for the details.
I would like to take his suggestions a step further, since the language of security is constantly changing, and suggest you make your solution maintainable by not simply cataloging terms and where they fit into your business model, but capture how you identified those terms.
I don’t think the term firewall is going to lose its currency any time soon but exactly what do you mean by firewall and more importantly, where are they? Configured by who? And with what rules? That just a trivial example and you can supply many more.
Take John’s advice and work to overcome the language barrier between the security and business camps in your enterprise. The bonus to using a topic map is that it can be maintained over time, just as your security should be.