Last week I spoke at The Security Standard conference put on by CSO Magazine. While not the main point of my talk, one key theme that I addressed is that in Security and IT we cannot use "Just Say No" as an operating strategy.
Five, Ten or more years ago, security and IT divisions were often considered to be roadblocks. In many organizations, security and IT existed for self-fulfilling reasons... to support the technology they chose. IT and security would dictate to the business. But that's not the right way...
In many organizations, when the business brings a need or idea forward, they are met with a "No" from security or IT. If the request is really a need for the business, then the business area will be forced to find another way to meet that need. That can lead to unvetted outsourcing or internal "shadow" IT.
I'm not saying that security should allow absolutely anything in the door. Security has the responsibility to assure needs are met and that the environment is kept safe. But security and IT must exist to support the business need.
So, we should not just say "no". We can say "no, but...", or "yes, but...". That means we have to work with the business... work to understand the core needs, and work to find a solution that: meets the business need; fits the environment, and; has appropriate security controls.
And that's not easy! It means that security has to reach out to the business areas. We must learn what the business does, how the need to use information, and what kinds of systems and applications will meet their needs. While ubiquitous access, mobile, tablets, smartphones, BYOD and use of consumer software all represent potential exposures, these may all help the business do their business.. Then it is our job, in security, to come up with creative and appropriate controls and solutions to make this work. That is when we add value. That is when we become more than just a cost center.
Make sure you are reaching out to your business areas. Make sure you are staying up to date on what is going on in our industry. Don't just say no... work hard to find an appropriate solution for the business. Don't be a roadblock. Add value.
How do you make sure you are connecting with business areas? Have you had a situation in which you just said no, and it back-fired? Or how about a success story when you said "no, but" and found a win-win solution?