I found myself recently trying to explain to a friend that there are no absolutes in security and that everything is about risk management. We were discussing the recent appalling attacks in London and my friend was understandably frightened. He was considering avoiding the tubes and buying a new bike.
I was really concerned for my friend's safety and my immediate reaction was not to be sympathetic to his fear, but to launch into the level of risk of riding a bike around central London. I took the classic risk management, security view on life and tried to explain the percentages of people travelling in the tube compared to those injured, and how it compared to the numbers injured on our roads.
Although my argument was totally sound and logical, I failed totally to convince him. Later, my wife had to explain to me that my friend, above all, felt the need to be in control.
It is the same issue that faces security bosses when they approach the rest of the business – their audience probably doesn't want to hear about risk management, or what the latest encryption technology will do for them. What they want is to feel in control of security, rather than hand that to someone else, and they want simple solutions. Above all, they want their security people to empathise with the business challenges and cost reduction pressures.
Instead of talking about access control and provisioning of identity to external third parties through federation, it is time to discuss how business can reduce the time it takes a partner to come on stream, enabling them to bring products faster to market.
It seems to me there's a need to find an effective way of communicating security messages. We need to help the business feel in control, and gain competitive advantage.