Ever met an information security expert who thought they knew it all? Ever been frustrated when you try to explain something to a security expert and you feel like you haven’t been heard? Let’s change this.
Our mission at FRSecure is to fix the broken infosec industry. The fulfillment of this mission is going to be much harder if we don’t stop and listen to our customers.
At FRSecure, we have established the FRSecure Customer Advisory Board (CAB) to help us with this problem. We are privileged to work with a handful of great people on the FRSecure CAB. They tell us what we do well and they tell us what they want us to do better. It’s a great experience!
In our most recent CAB meeting, I posed the following two questions to our members:
- What is your greatest frustration with respect to information security?
- What is your greatest challenge with respect to information security?
I asked each CAB member to write down their answers, then we discussed them as a group.
Greatest Frustrations in the InfoSec Industry
The greatest security issues shared by our CAB members included:
- Lack of common information security understanding.
- Different interpretations of different information security regulations, government agencies, and standards.
- Lack of education for practitioners and executive management.
- Constantly changing priorities based on outside influences.
All of the common frustrations were shared by all of the CAB members. Through discussion and good healthy debate, we derived a core frustration that sums up everything; we are all speaking different languages for the same topic.
Greatest Challenges in the InfoSec Industry
The greatest challenges shared by our CAB members included:
- Education/training for executives, IT personnel, security teams, and users.
- Management commitment to continuous improvement.
- Obtaining the necessary resources for security management.
- Measuring information security (metrics, status, improvements, etc.)
- Cyber insurance: Risk understanding and risk management.
There are so many moving parts to an information security program, and it’s difficult for our customers to figure out the next thing they should be working on. Instead of using risk (and measurement) to determine what to do, they are using what outside entities (regulators, examiners, customers, etc.) are telling them to do. This challenge is closely related to the frustration problem, but it also became clear that customers don’t necessarily know how to fix security problems when told that they need to.
Members of the CAB agreed that the greatest frustrations could be summed up with; we don’t know how to fix the issues facing us within the greater context of a strategic information security program.
What FRSecure is doing
So what is FRSecure doing about all of this? If FRSecure is committed to fixing the broken infosec industry, we can’t shy away from our customers’ greatest frustrations and challenges. We are committed to solving these problems.
Problem #1 – We are speaking different languages.
At the core of the FRSecure business are information security risk assessments. We use an easy-to-understand information security assessment methodology that gets people speaking the same language internally (with executives, directors, management, and all users) and externally (with other information security professionals, partners, customers, regulators, etc.). The methodology is comprehensive, credible, and effective.
All of our other services can be incorporated into an information security risk assessment, and the deliverables for all other services must be designed to help solve problem #1 vs. contribute to problem #1.
Problem #2 – We don’t know how to fix our problems when we’re told about them.
There are primarily three things that we’re doing to fix problem #2:
- We teach in every engagement we have with customers. It’s not good enough to tell customers how to minimize security threats—we take the time to explain and show it.
- We teach anyone who’s interested. We do this through speaking engagements, blog posts, newsletters, podcasts, videos, and the FRSecure Mentor Program.
- We are building tools for our customers to use to improve their data protection.
We will keep listening to our customers, and we will keep learning. Remember these two problems; they are at the core of everything we do. Thank you for sharing with us!