What business are you in?

Do you want fries with that?
Global giant McDonald’s is famous for its fast food. However, it’s not their burgers and fries that made the business profitable. Ray Kroc struggled to initially bring enough revenue from his franchised restaurants in order to pay for the land and the building for McDonald’s restaurants, which meant growth was limited to one restaurant at a time.

When Kroc hired Harry J Sonneborn, who saw that the real money in this business wasn’t just to be found on a juicy beef patty but rather through property management and development. He created an innovative plan which allowed McDonald’s franchisees rent space for their restaurants with plans eventually leading them taking out mortgages so they could own both buildings as well has having exclusive rights over where those places are located; all while still making money hand-over fist because people love eating at these locations!

Say Cheese
Flip a few pages in the history book to K, and you’ll find Kodak. The brand which at one point controlled almost 70% of the photography film market.

But Kodak was never really in the photographic printing business – it may have thought that it was. In reality, it was in the business of preserving memories.

Many will comment about how Kodak failed because it was too slow to adapt to the arrival of digital cameras. But that’s only part of it. What it really failed was to transition from a ‘memory preservation’ to a ‘sharing experiences’ business.

I stop hackers
Early in my career, someone was trying to understand what I did. After unsuccessfully trying to explain to them the details of PKI, I tried to sum it up by saying, “I stop hackers”.

Of course, that wasn’t really true, I spent most of my time resetting passwords, granting permissions to assets, and looking after privileged accounts.

But it begs the question, what is the role of anyone who works in security? Yes, we can say it’s to reduce risk – but does that look the same in every scenario, for every type of organisation, in every type of cybersecurity role?

I feel like I may have gotten a bit too abstract here.

There’s a need (an obligation even) for security professionals (in their different roles) to understand the business they are in. Because if we understand that, the security controls, and processes, and procedures that we maps out and implement can help the organisation achieve its mission. In doing so, we can create that amazing McDonald’s model with cyber Golden Arches.

But if we fail to do that, we could end up going the way of Kodak.*

When I say “we” I clearly don’t mean all of us. Just those who make the bad decisions so the rest of “us” can point and laugh.**

** when I say “us” I don’t mean me. I would never point and laugh at anyone.***

*** Well, I don’t laugh at anyone <anymore> before one of you pulls up an old quote I may or may not have written or said several years ago.