Shulou(Shulou.com)06/01 Report--

When he was in Ali Yun, he felt that the Ministry of Security was a very "strange" department, and it seemed that the whole system was independent and had its own small circle.

After coming out, I joined the security circle to provide business security services for various manufacturers. After I first came into contact with the SRC (Emergency response Center) of various manufacturers, I saw a group of different people United because of the same sense of responsibility, and felt the vitality of secure er more and more.

Behind the vitality, however, lies the long-term restraint of safe er.

More than once, security practitioners lamented that the biggest resistance to safety is not external, but precisely within the company. Why on earth is this?

Security and business are always a pair of inexplicable enemies

The all-powerful * * and Party A Security er, which underpins the business, have two diametrically opposed career paths, and the latter has obviously suffered more.

We can see this scene going on every day: when the business unit is going to launch an activity, there is an obvious risk of being *. The security department has not informed the security department in advance (a little synchronization, but it is not very useful). The security department came to ask for additional prevention and control measures, but the business department turned a deaf ear to it and asked for further questions, and dismissed it with "KPI" and "performance".

Business people are strong because they hold a performance KPI, while related security requirements are seen as futile. Unless there is a large loss (such as the pinduoduo coupon incident), business people will be in awe of the security sector. This makes the prevention and control strategy of the Ministry of Security become "serious illness medical insurance", usually do not have the will to check, really something has happened, and there is no claim point.

Why is security like an insurance product? Being unable to quantify is one of the biggest problems. How many loopholes have been filled, how many new protection programs have been launched, and how many risks have been avoided are all prevention and control against things that have not happened, and it is often difficult to quantify how many losses these problems have really happened. compared with the real performance of business units, this is even more so.

No wonder the business unit has a heavier voice and has such a great impact on the security sector.

Leading and serving are two completely different ways.

However, the above-mentioned tortured security departments are more likely to come from Party A companies on the Internet. In the financial industry, which is close to money, the risk control department has a higher say. Especially in banks and licensed institutions, risk control can effectively reduce the overdue rate and bad debt rate, and intuitively reduce business losses. Even, the operation of the organization mainly depends on how well the risk control is done.

It is not difficult to see that when you are closer to the money, the risk loss is easier to quantify, so the work done safely is more likely to reflect value and have a greater say.

The author made a simple communication with several security leaders in the industry and found that in this context, the security department has come out of two forms:

One is to be a good guardian of security. Mainly focus on the overall security ecological construction of the company, will put forward relevant risk recommendations to the business, but the final decision on whether or not to adopt is up to the business. If there is a problem with a business that has been alerted to risks, the only bottom line is not to turn your back on it.

The other is the risk control department, which is on a par with the business unit. The company's business plan needs to be synchronized with the risk control department to control the risk in advance, the performance appraisal of the risk control department is directly linked to the business, and the right to speak and pressure coexist.

The Future possibility of secure er

Then again, in the Ministry of Security, which is still a little far away from the money, is it not possible to promote the voice of the department?

Not exactly, the author proposes two necessary scenarios for discussion here:

1. Change of consciousness

When the Ministry of Security transitions from traditional network security to business security and becomes a prominent subject, the public may have a better understanding of the integration of business and security, and better understand the necessity of security construction.

2. Value mining

The security department can link the work results to the business results, quantify the business value, and then promote the transformation of the security department to a value center. This is controversial, but the road is made by people, and the industry is changing every day, which is a worthwhile direction.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.