Sometimes it’s tough to explain to non-security people and especially non-IT people what my job is about. Bruce Schneier has a pretty good anecdote for this problem in his latest essay for Wired.

Imagine if the inventor of antilock brakes — or any automobile safety or security feature — had to sell them directly to the consumer. It would be an uphill battle convincing the average driver that he needed to buy them; maybe that technology would have succeeded and maybe it wouldn’t. But that’s not what happens. Antilock brakes, airbags, and that annoying sensor that beeps when you’re backing up too close to another object are sold to automobile companies, and those companies bundle them together into cars that are sold to consumers. This doesn’t mean that automobile safety isn’t important, and often these new features are touted by the car manufacturers.

In the essay the context is security vendors selling products to companies, but it holds with my job. I don’t directly provide any services to my company. I make sure the company’s services strike a balance between feasibility and security. That’s not a zero-sum game with good security meaning an impractical service. With the number of security methods and technologies you can use, you can probably find the right balance of good security and still focus on the business side. But when you get down to it, business don’t really want security, they want to do business. My job is to show the value of security and provide solutions that enable business.

Don Parker has an intersting take on my job that was reported on in Information Security Magazine at the beginning of this year. Information Security has been all about managing risk. He contends that the objective of reducing risk isn’t measurable so it’s better to focus some new objectives for security:

  1. Compliance – making sure that your business follows the laws, rules, and regulations required to do business
  2. Benchmarking – compare your capabilities with your peers and the industry as a whole
  3. Differentiation – make security a reason to choose your business over another

Information Security is changing. It’s becoming more mature and more of a commodity (like electricity or water) and less of being it’s own specialized industry. I’m excited about the direction and looking forward to the change as long as I can keep in front of it.