The hedgehog's dilemma - Story of business and IT Security

In Summer 2011 a new security related conference series was started in Madrid. Or better said, a technology-based risk management and innovation event. I had the privilege to give the opening talk on the links between security and business to a wide and wise audience. I titled my talk the hedgehog's dilemma.
This post summarises the main points of the talk. They are still applicable (they are even more applicable now than in 2011!). Happy to start a discussion thread on your views on these macro topics. They are not closed to a command line but they certainly steer our professional future working with and at corporations.
Using wikipedia's description of the dilemma, "hedgehogs all seek to become close to one another to share heat during cold weather but they must remain apart, however, as they cannot avoid hurting one another with their sharp spines".
Security and business suffer exactly from the same dilemma. The objective will be to change the paradigm from hedgehogs to penguins. Penguins can stay together. Actually, they benefit from staying together every winter.
I proposed two dimensions to work with, a methodological dimension and a human one. Let's describe both of them:

From hedgehogs to penguins: A method
Firstly, we need to use traditional risk management concepts such as vulnerability, threat, risk, impact & probability and benefit to risk ratio, all of them explained in the first chapters of IT Securiteers.
Secondly, I propose the use of 1 + 3 + 1 filters. As a security professional, pay attention to elements that pass these five filters:
1. They are real and detected threats. This is why monitoring is key.
2. They cause a high impact to the organisation and they mean a low risk for the attacker.
3. Their treatment does not require massive resources and does not decrease customer usability. This filter is a though one to respect. However, it constitutes a mid-term survival guarantee for Infosec professionals at work.
4. They bring a positive reputation to the security team. This one is also challenging but worth considering in these times in which we need to market everything.
5. They comply with legal and governance requirements and they satisfy senior management's requests. Please do not forget the last part of this fifth filter.
Certainly this is easier said than done. Three additional tactical tips:
a. Plan not more than 40% of your security resources. They need to be available to deal with a great deal of unknown (and ad-hoc/unplanned) activities.
b. Follow a "baby-step" planning approach and celebrate (and sell!) every successful delta.
c. A useful way to structure your work is considering these layers: networks, systems, applications, data and identities. (Thanks to Jess Garcia for this point).

From hedgehogs to penguins: A passion
Security teams certainly need passionate and technically-savvy security professionals. Together with this statement, I would add that we need a multidisciplinary team. Non IT-savvy and non-security savvy players have also their place in a Security Team. These new players can come from fields as distinct as marketing, sociology, statistics, journalism, law and economics.
The number of interactions that some of the security team members need to have with the rest of the organisation is high. Public relations and marketing are essential for the previously presented 5-filter method to succeed.
How many active security teams do you know that already have this innovative composition? Probably not many. Two references to go deeper into this subject of security management: Try IT Security Management and Secure IT up!. I would be happy to present it to you if required.
These multidisciplinary teams will live the motto "share, respect and mobilise":
- Share the information you work with with your colleagues.
- Respect any personal and academic background from any player in the team.
- Mobilise your peers i.e. trigger their curiosity for your field of expertise.
Two models to help growing cohesive teams. Both models aim to find a balance in every team member:
- Find the sweet balanced spot among the skills they offer, their passions and market demands.
- Find the sweet balanced spot among they as individuals, they in their social dimension and finally they in their professional lives.

Multiple leadership and continuous learning
Security teams need more than one leader. Preferably three. At least two that get along well and complement each other. The role of the leader will be to look after team members while delivering the mandated value to the organisation.
In a two-dimensional graph, draw where your team members are in terms of valuable security skills and level of motivation. Those scoring high in both axis constitute your team's critical mass. The role of the leader will be to grow that critical mass i.e. encouraging everyone to sharpen their skills and letting motivation grow inside of them. Imagine a KPI on this!

Important ingredient not to oversee
Security team leaders need to be outward looking and multidisciplinary themselves. They need to act as security ambassadors specially with their reporting lines and customers. They'd better double check periodically whether they still have their senior management support.  

Security innovation: Five provocations
Some food for thought. Call it crazy ideas, call it security innovation:
- Conduct effective guerrilla marketing out of your CERT team.
- Design accurately (and smartly) the experience that a visitor to your facilities and a customer of your security services would leave with. End to end.
- Identify social connectors in your organisations and make them be your security marketing ambassadors, even if they do it unconsciously.
- Make the most of the "power of free" e.g. distribute free encrypted memory devices.
- Be constructive. Remember, life will always find a way!

Happy finding!

Finding a way