Sometimes we all need a reminder of the obvious.

This article from Infoworld reminded me of something I'd learned a while back and recently forgotten: Information Security is not about technology.

"Ultimately, the most significant point of disconnect between security pros and the business people they work with is the struggle to balance issues of protection and compliance with efforts aimed at growing sales and revenue, which the panelists characterized as a near constant 'tug-of-war.'"

Does this sound familiar? If I can quote a popular Internet meme here: "You're doing it wrong."

This tug of war is what happens when information security and executives fail to understand that they're supposed to be pulling in the same direction: towards revenue. This is actually quite fundamental, but traditionally really hard to manage.

CFO says: "I think in terms of risk -- sometimes that's about dollars and sometimes it's about reputation, but you need to tell me, what's the real risk that could actually hurt the business? It's all about getting the language and communication right"

And this is the crux of the problem. Infosec needs to assess and articulate risk in terms that the organization can understand. It's not our jobs to protect the company from things it doesn't know about, but to inform the company about risks, possible solutions, and impact of those solutions. The decision of whether to accept risk or not should be based on the impact to revenue.

Maybe every information security team needs to hire a communications person, someone who specializes in information presentation, rather than information assimilation. In every InfoSec group, we should be asking ourselves who provides the guidance about how to deliver data to other parts of the organization.