It’s time for the Security Industry to grow up. Most of us have been drawn to the security industry because of the fun things we get to do. We like finding problems with security controls and love being paid to break into systems and networks. However, as much fun as those things are information security has become a very important part of businesses and industry. As more and more businesses digitize their business information and assets the more important information security becomes. Whether we like it or not information security is quickly becoming a critical part of the business process.
In that light it is important for us as information security practitioners to learn more about business processes. I know that it feels great to get a shell on a box. However, that shell might not be attacking a critical business process and therefore is a potential waste of effort. By understanding the underling business processes of the company you are testing you can identify targets that are critical to the business as a whole.
This approach however, requires an understanding of business processes. A great way to begin to understand general business processes is through education. I know that business classes can be uninteresting and even boring at times. I will admit that during my education the business classes were the least interesting classes I took. I still can barely remember the content I went over even though I did very well in the class. Recently I have realized my shortcoming in understanding business processes and have been going back over my business classes’ textbooks. If I take more of a “hackers” view at business processes I can begin to see critical places in the business process of where a successful attack could be critical to the business as a whole.
There are many obvious targets such as high-level executives, payroll, and data warehousing. However, some targets could be just as critical. Imagine targeting the PR department and having the ability to send out press releases that could immediately damage the businesses’ reputation with their customers. All it takes is one factitious press release going viral and the company’s reputation could be irreparably damaged.
By understanding the business process we as “security professionals” can begin to see these cracks in them and begin to design stopgaps to protect them. I still believe that the hacker mentality can thrive in a business environment. However, in order to do that we need to grow up, educate ourselves and take our rightful place in the business world.
I am writing this in hopes to spark a discussion on this topic. If you don't agree with me please feel free to let me know why. I am a firm believer in open, uncensored and frank discussions.