Security is not about saying “no”…
As an Information Security professional, we often find ourselves saying “no” to a lot of ideas and proposals.
- “The business wants to purchase a new piece of software to house customer data after only the first demo.” No.
- “Making me a local admin would allow me to do my job with less hassle.” No.
- “I want to use Dropbox to store my company files so I can access them at home.” No.
- “Can we open port 3389 so I can access the servers from home?” No.
- “The CEO wants to store data in the cloud.” No.
There are times when saying “no” is easier and faster, but “no” is not a solution. The problem is, the word “no” is a barrier. Often times the Information Security department gets a bad reputation inside of lot of companies because it is seen as a place where ideas go to die. Once this reputation is earned it is hard to convince the business otherwise, but it is possible.
Say “how” instead
As professionals we should not be looking to say “no” to everything. Instead, we should start a dialog and find a way to say “how”. If an idea is presented, especially from upper management, there is often a good chance it is valid and already has momentum. All of the examples listed above are reasonable: initial demos can be very convincing; access to the infrastructure outside of the network can make a Work From Home program a possibility; and putting data in the cloud can be cost effective. More over, there are ways to accomplish these ideas and implement them securely.
It must be kept in mind that new ideas are rough around the edges and fragile. It takes a lot of time, energy, and dedication to keep an idea alive, so any negativity could be seen as confrontational and taken personally. When a proposal first arises, an Information Security professional must participate in early discussions and help their company pursue the idea with security in mind. An new proposal can easily be shaped and molded early on, unlike a proposal that has been discussed with others and then the Information Security department is involved later in the process. It comes back to the adage that security should be built-in from the start. From this perspective, the Information Security department becomes a very integral piece of the business and not just a function of its daily operations.
Information Security should enable the business, as Dr. Eric Cole always reminds us. This means getting involved early, finding viable solutions to tough problems, and staying involved. Slowly, the business will gain confidence in the Information Security department, fostered through cooperation, and the department will flourish. Because Information Security is about much more than configuring firewalls, monitoring logs, and finding new vulnerabilities, it is about helping the business become secure, grow, and operate.