Information security and business strategy Part 1

I've known David Greer for over 25 years and have always enjoyed his intelligence, good humor and creativity. And Stephen Northcutt is so widely published, cited and respected in our field that I had trouble deciding which of his many Web sites to cite. It is a great pleasure to publish Greer's interview of Nortcutt in two parts. Everything that follows is by Messrs Greer and Northcutt with minor edits.

* * *

Many information security professionals are overwhelmed with the technical issues they must deal with. But technical solutions must operate in a business environment that deals with customers, partners and other stakeholders. I interviewed Stephen Northcutt, president of the SANS Technology Institute, a leader in information security training, and discussed the relationship between information security and business strategy.

DG: How do you see information technology (IT) security and the broader issues how user and customer experience relate to business strategy?

SN: One course that I teach is information security for managers. On one of the very first slides, the point that I try to make is that you've heard frustrated business people say you guys have got to align your security programs with the needs of the business. One of the questions I ask right then is, "Do you guys even know your organization's mission statement?" I typically see 10% or so of the class that can.

DG: I've had trouble finding how information security can enhance business strategy. The focus seems to be on the technology and how it is applied to the broader business issues. What are your thoughts?

SN: The people that I follow on twitter have been posting a whole lot of posts with a little bit of technology but a lot of business comments as well. Our latest newsletter is called SANS ExecuBytes and it covers leadership as well as technology. What really impresses me are people who write and say, "I printed it out and gave it to my boss."

DG: While searching for thought leaders on IT security and business strategy, I found your Web page on Security Thought Leaders. The thought leaders that you mentioned seemed to be biased to the technical side. The interviews that I read were deep into the technical problems as opposed to the broader strategic issues I thought should be there. What is the background for your Security Thought Leaders?

SN: One of my goals for the project is to introduce people that you wouldn't ever hear of otherwise. There are some people who've done some truly amazing things such as Bill Worley. Bill was one of the architects of the Itanium and when he retired from HP his wife made him go in the basement so he didn't bother her all the time. He went in the basement for a year and wrote a new operating system that runs over Itanium. It's a micro operating system, so it runs a lower risk attack surface. Bill may or may not succeed and his company [which provides DNSSEC solutions to government, enterprise, and service providers] may or may not succeed, but what a great story!

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.