Thursday, August 16, 2012

Do security like a start-up or get fired - Say yes

This is part of a blog series. For more details, start with the intro.

Evolve from “no” people to creative “yes” people

The previous post in this series talked about Trust. I referenced Forrester's Laura Koetzle and her definition for an IT security & risk professional's role:
"We protect our company’s brand – and our Security & Risk program allows our company to pursue new business opportunities safely."
In the eyes of most CEOs, security teams are employed to protect the company’s brand and reputation. But why do so few mention the second part about being used as a business enabler? Those of us in IT security have been rolling this reason out for years. Yet we're still stuck with the perception gap.

It's because...
In case it's not clear, the image reads: "IT security says no."

Sound familiar? We’ve all said it before haven’t we? In fact, it’s almost the default answer because most of the time, the business has no idea about security and keeps making stupid requests! The previous statement may not be always be true, but that’s IT security's perception a majority of the time.

Why don’t we take the time to ask why? And by that, I don’t mean simply ask: “why do you want to do that?" We need to take the time to understand the business reason behind the request. We need to put on our business hats.

Say yes more often. And say “yes” all the time, if you believe it will give the organisation a competitive advantage or access to a new revenue stream. Be creative about mitigating the risk while enabling the business initiatives and leveraging existing security infrastructure. If you can’t, management will hire someone who can. Balance competitive advantage against control. Ultimately, security teams need to understand the business. They need to understand how the organisation makes money.

IT security needs to be seen as a business enabler instead of a support function that always gets in the way. IT security teams need to evolve from “no” people to creative “yes” people, while knowing that risk is the variable in the security and usability equation.

Next up - Do or do not. There is no try.

1 comment:

olj said...

You can only be successful as a security officer of a company in the current economic environment, when you find solutions wit business taking the right balance between opportunity and risk. This is risk management as you should do it. Otherwise you will be always the last one being asked and just another department known to hinder business.