Alex Taverner, Managing Consultant, BAE Systems Applied Intelligence
"Who gave 'them' this great overarching power to stop a project in its tracks?"
This is just one of the frustrated complaints about IT Security teams made by their business colleagues. Yet the underlying root cause for why IT Security can be perceived so negatively in organisations is often bidirectional; business units sometimes don’t feel that IT Security has any real understanding of what they are trying to achieve, and IT Security is often engaged far too late in the piece, yet is expected to provide approval before projects can proceed. The result comes out that IT Security department often seems to act as a business inhibitor.
In light of several well-known recent exposures to cyber events, it is worthwhile remembering IT Security is now a Board level concern and it is the risk management position the Board adopts that determines the role of IT Security in the business. Let’s face it; IT security is no longer an avoidable cost. The disciplines around getting ‘biggest bang for buck’ are not about whether to spend, but how to spend.
"Good IT Security isn’t about Delivering the Most Stringent Controls to Minimize Risk or Only Addressing the Downsides"
The reality, however, may be that IT Security teams aren’t given enough time to work on the project (be it an offering, service, product, solution or engagement) so they get forced into a corner – needing to make sometimes far reaching assessments of potential business impact without sufficient information and in the context of often proscriptive policy and compliance frameworks. Engaging with this team early, when a business unit first comes up with an idea or a requirement, not only helps the IT Security department, but can also smooth the transition of the project through to completion. This team can then properly assess potential hurdles that may come up and now has an opportunity to provide recommendations on how to get around them.
A good, effective, open minded IT Security department will be seen as a business enabler. The business environment is increasingly regulated, with more and more compliance obligations to meet. These can be as diverse as handling credit card payments, providing services to government, or handling people’s information captured as part of a sales process. The IT Security team will not only understand these requirements, they will know how to comply with the imposts with the least effort.
In addition, a good IT Security department may be able to identify technical upsides where it is possible to get better commercial outcomes. Good IT security isn’t about delivering the most stringent controls to minimize risk, or only addressing the downsides. IT security should also focus on how best to harness new opportunities and technologies for the advancement of the company.
In highly regulated environments, such as banking, insurance, or anything to do with government for example, having the IT Security team helping out with pre-sales is often invaluable. The differentiator between two vendors offering a service increasingly comes down to not only how well they can meet their prospective customer’s compliance obligations, but importantly, how well they can communicate and demonstrate this to the prospective customer. This is when leveraging the IT Security team leads to sales enablement and should not be underestimated.
IT Security teams can also help their own case by bringing awareness to the business of opportunities that fall within the organisation’s risk appetite, rather than just being reactive. It is better to have a more experienced and better credentialed IT Security team who understand the opportunities in emerging technologies than a team who only focusses solely on minimizing risk.
Furthermore, good communication is imperative. All IT security decisions should leverage a 'top down' approach based on company vision, strategy and objectives. In fact, security architecture frameworks such as SABSA channel enterprise architecture models like Zachman to ensure traceability from business requirements to security decisions and can be presented to business stakeholders in business terms.
IT security is not going away. It is simply too important in today’s world. Having the top IT Security people building good rapport and mutual trust with the rest of the business is imperative. They have to earn the position of trusted advisors as well as subject matter experts in their own fields. The IT Security team needs to be a meaningful player, and active participant in the business.
To use the old saw 'IT security is a journey not a destination'. There will always be change. There will always be new vulnerabilities. A business has to take acceptable risks and deploy mitigations where needed to ameliorate the risks which they are not prepared to accept. Understanding this equation is good IT security. So, for CIOs, and CISOs, carefully managing the message and prioritising the battles that need to be fought goes a long way to being a valued member of the leadership team.
Computer does not need to say 'No'.