Values
Security is a value.
A reminder:
When we talk of values in business we are not talking about money. The term was introduced into modern business vocabulary as a way of trying to talk about all those other things that are not related to finance and the bottom line. So forget about "shareholder value" or any of those other distortions of thinking that lead us back to what we were trying to escape in the first place.
Primacy of values
In their work on building effective and sustainable systems, Meadows and Forrester placed values at the top. "Values" are drivers from which all other business decisions are made for long-term survival and prosperity of the system.
Of course human and technical values absolutely do have a monetary value. Their financial implications may be positive or negative. Good business thinking is weighing up these values so they also produce favourable outcomes at the financial level. However, this is never an attempt to maximise for profit or ROI. A values-driven approach to IT and cybersecurity starts by getting the values right and then working back to see what can be achieved financially, correcting ambition as necessary. Amongst possibly millions of value statements we might address ideas like;
- appetite for risk
- loyalty to country
- belief in equality of opportunity
- concern for the environment
- a political agenda
- humanitarianism
- and so on….
Recall that here our primary value is to build systems that secure our interests.
Many approach business the other way, with the intention to first maximise profit and see what values remain after that. The answer to which is; none at all.
That error of a wholly economically driven approach is best put by Douglas Adams;
"This planet has - or rather had - a problem, which was this: most of t people living on it were unhappy for pretty much of the time. Many solutions were suggested for this problem, but most of these were largely concerned with the movement of small green pieces of paper, which was odd because on the whole it wasn't the small green pieces of "paper that were unhappy." – Douglas Adams: The Hitch-hikers Guide To The Galaxy.
A system designed "bottom-up", starting from financial constraints, is inevitably a broken and ineffective one. Yanis Varoufakis similarly suggests that the entire project of economics is itself a failure when collapsed to a single dimension of money.
Most cybersecurity today is broken, not simply because it is under-funded, but because it was never approached in a value-centred way in the first place.
Starting from a budget has two main drawbacks:
Insecurity through overspending.
What if you could actually much spend less than you think on digital security? Many organisations reduce subsequent budgets if departments under-spend, so given a budget we feel obliged to spend it all. This leads to "solutionism" and "gadgeteering". Some organisations buy expensive software and use less than twenty percent of its capability. Those unused features are not merely a waste, they become a technical debt and obstacle to natural security evolution.
Insecurity through lack of vision
Starting with a meagre budget we end up only with the security we can afford, not the security we might need. Starting with values is "dreaming big", with an exploratory phase in which we research the security possibilities and costs. Scaling down from a big dream to fit a realistic budget always yields better outcomes than building piecemeal from a mean and inadequate basis where we never even consider what might be possible.
Start with your business "Mission statement" How do those values relate to your cyber security posture? How could your IT systems better serve the company values? What changes might you make to align security and value requirement?