Outsiders mainly look to two factors when attempting to judge an organisation's security street cred. First, the trustworthiness of the organisation's security team. Can they be trusted with sensitive information? Do they have clean reputations? What are the motivations of the different team members? Secondly, people will look at their competence. Do they know how best to leverage any information that is given to them? Are they appropriately protecting the interests of the organisation, its clients, and its shareholders? Are the team members able to complete their duties effectively and in a timely manner?
In what ways will a reputation for good security benefit the organisation?
Recruitment: Recruitment and retention of talented individuals is important to a successful security programme. More than just money, benefits, location, and position, top talent is often also concerned with the pedigree and reputation of an organisation. If an organisation has good street cred, it helps to attract top security talent. There is an amplification effect here – good street cred brings good talent, which in turn improves the organisation's street cred. The converse is also true – unknown organisations or organisations with less than stellar street cred will have a difficult time attracting top security talent.
Technology: The right mix of people, process, and technology is required to keep pace with the growing and diverse threats faced. Cutting-edge technologies can sometimes offer new perspectives or insights into attacks. Often these technologies are initially introduced through a small number of technology partnerships with vendors. The vendors introducing these technologies typically choose organisations that are both forward leaning and have a good reputation. Why? It is better to dedicate scarce resources to partners that can make the best use of the new technology and offer most insight.
Information sharing: When organisations undertake information sharing efforts, they provide techniques, methodologies, and intelligence to other organisations. Any sensitive information shared opens up the organisation to potential risk. Therefore, the sharer will carefully weigh the trustworthiness and competence of the receiving organisation before electing to share. The practical implication of this practice is that those organisations with the best reputation often receive the most timely and actionable information through information sharing efforts. And sharing timely and actionable information further enhances the sharing organisation's reputation.
Threat intelligence: It is generally true that the best threat intelligence tends to be the most specific and contextually rich – thus often the most sensitive so only provided to those above a certain level of street cred. Trustworthiness and competence of an organisation are important - it is just trust as there is no point in incurring risk to provide intelligence to an organisation that cannot leverage it properly.
Dialogue with legal, privacy, and executives: Ultimately, security is a business function and an under-emphasised aspect is communication. Budgetary matters, disclosure requirements after an incident, or the intricacies of a formalised information sharing agreement require a continual dialogue with legal, privacy, and executives. These key stakeholders are charged with protecting the best interests of the organisation and minimising risk. And it is trust that is the foundation of a successful and productive dialogue that can bridge the practitioner/non-practitioner divide.
IT cooperation: It often requires members of the IT team to implement the security team's recommendations for improving the organisation's security posture. But IT, with its metrics based on uptime and ease of use, can sometimes have opposing motivating factors which can often create tension. But a security team that is widely respected in the industry can use its credibility to instill confidence in the IT team to deliver what has been requested.
Customer and partner confidence: Prospective clients and partners increasingly want to understand an organisation's security maturity before signing a deal. This will often involve site visits, meetings, discussions, and perhaps even reference checking. If an organisation's security team has a good reputation, it can help the organisation close deals and become a revenue enabler.
It is important not to underestimate the key role that an organisation's reputation plays in the overall success of its security program. Security leaders can help their security teams by paying careful attention to the word out on the street regarding their organisations, as it can have a great impact on their success.
Contributed by Josh Goldfarb, Chief Security Office, FireEye.