Blogger: Eric Maiwald
Security cannot be discussed or described in a vacuum – any security discussion requires a context. It does not make any sense to say that a company or product “provides security.” Security of what? Protecting from what? The security discussion has to include the context of technology, a business problem, the information to be protected, the overall environment with which an enterprise functions, etc.
This means that “security” can only have meaning when we answer:
• Why do we need security?
• How does security help the business to function?
• Who are we protecting against?
• What negative consequences are we trying to limit?
If this seems obvious, it should. Unfortunately, many practitioners, vendors, and even analysts miss this basic fact. I hear people talking about implementing security without answering the questions. Perhaps it is just assumed that “everyone” knows why security is practiced. I think this is a bad assumption. Security people need to articulate the benefits they provide to the business. Answering the questions sets the context for the security discussion. If the security team can’t answer these questions, I wonder why they exist.