Change that Respects Business Expertise: Stories as Prompts for a Conversation about Organisation Security

Leaders of organisations must make investment decisions relating to the security of their organisation. This often happens through consultation with a security specialist. Consultations may be regarded as conversations taking place in a trading zone between the two domains. We propose that supporting the trading zone is a route to sustainable, workable security change improvements. Prompts for such improvements are already in place, in the security stories that reach business leaders through news media, or anecdotes from trusted peers. However, a shift in perspective is needed to view these stories and anecdotes as prompts for individual decision makers to enter into the trading zone with security specialists. We illustrate how to facilitate this shift by recasting security ontology tools, previously centred around security-specific expertise, as a support device to enrich conversations between business expertise and security advice toward finding workable security choices. We frame our proposal within a broader view of community transformation, exploring the important principle of identifying practical opportunities to inform discussions about security solutions that are appropriate in the business context. Community-level discussions have potential to lead to more lasting, effective improvements than those instigated by one-way interventions from security specialists. We extend the view, applying the paradigm to articulate the importance of two-way conversations between business peers and security specialists.