Sometimes being a security pro in financial services feels like being in used car sales. Like the salesperson, we're all about the "hard sell" -- except instead of selling used cars, we're "selling" business leaders on the security controls that protect the transactions that make firms money. The metaphor actually holds up pretty well: the business folks have a tight budget, they don't particularly want to buy, and while they need what we're selling, they'd probably rather use their hard-earned cash to buy something else.
Now I don't know about you, but the part of the job I dislike the most is this sales aspect. I don't like trying to convince someone to spend their money on something they don't value. Which is why I've spent a large part of my career looking out for tips to make it less about sales and more about getting on the same page with the business.
There is, it turns out, a better way -- at least when it comes to the security of electronic transactions. Turning the conversation from a "hard sell" to an "of course" starts by recognizing that the business folks already understand most of what's important about transactional security; they just have a hard time applying that knowledge once transactions go online.
Physical security comparisons
Don't believe me? Imagine a retailer at the close of day. They cash out, fill out a deposit slip, and put the cash into an envelope. Do they then tape that envelope to the front door at the local bank branch? Not likely, right? Why they don't is probably obvious to everyone: because in that scenario, the money would almost certainly be gone by morning. But the trick, it turns out, is in breaking down exactly why that's so simple and obvious to us all.
Underlying that example scenario is an implicit set of security requirements that both our customers and our business managers understand intuitively. Customers get it because even the most naïve of them have probably seen "It's a Wonderful Life" enough times to know why leaving a stack of cash hanging around is a bad idea. Business folks get it because they know that encouraging customers to take risks undermines what we're in the business of selling: trust.
So when it comes to physical transactions, our business partners already know why security controls are important. If we learn to phrase the technical controls for electronic transactions by using these principles from the physical realm, we make the conversation more an exercise in translation than sales. In other words, we build on what they already understand by grounding the risks and controls of the electronic transaction in the analogy of the physical transaction that they're already used to.
Frame the risk, pick controls
First, frame the risk by drawing out the parallels with the physical transaction and highlighting what they already know about the risk in that framework. For example, if you're building an electronic order-entry system for a brokerage, your business partners already understand the importance of authentication in the order process. For example, would they act on an anonymous phone call ordering liquidation of all a client's positions? Or would they seek confirmation from the client? Drawing out the analogy allows you to explain why it's critical to build enhanced authentication into the system.
Then, once you've framed the risk, highlight the controls based on how they address that same risk, again by drawing on the physical analogy to make the point. For example, if a company is implementing an electronic counterpart of the after-hours deposit system, you'd point out how putting the funds somewhere where anyone can pick them up (like by taping them to the branch's front door) would be laughable, so the controls for the electronic system should at a minimum protect against that. And you'd illustrate how a secure file transfer system fills the same role as the physical depository.
If you can convince a business that you're just trying to buy them the same protections in the electronic world that they have already in the physical space, the conversation becomes less about sales and more about explanation.
Being able to communicate that to business partners gives you flexibility. Are they not able to implement an encrypted channel due to technology limitations? Maybe there are other controls that they can implement that will provide the same level of security. Once they understand the purpose, they can bring their creativity to bear to the problem. So in the end, not only are you not selling, you're enlisting their help.
About the author:
Ed Moyle is a manager with CTG's Information Security Solutions practice and a founding partner of consulting firm SecurityCurve. He is co-author of "Cryptographic Libraries for Developers" and a frequent contributor to the information security industry as an author, public speaker, and analyst.