Reduce Risks by Becoming a Service-Oriented Organization
Information security organizations in large enterprises are all-too-often focused around compliance. Communications between security and other organizations are often focused around an audit, or require some action to be taken. At times, organizations need to set aside current activities to focus on reducing risk, which can result in a missed deadline, exceeded budget, or missed business opportunity. When people with good intentions come to security for help, they’re often left unsatisfied, or, worse, with a to-do list that was bigger than when they began.
As a result, people within the enterprise often fear the security organization, and avoid it whenever possible. In a previous life, I was an application development manager, and know the feeling first-hand. People representing the business and the IT staff often need help managing risks and "doing the right thing" to secure their systems and business processes. Given the resources they need, most people will make the effort to act responsibly, and seek out help to reduce risks in their project, technology, or business process. Without the right help available, most people will focus on what they do best, and ignore otherwise important but confusing risk-management activities.
Security organizations exist to serve the needs of the business. We are service organizations, and we’ll only succeed when we provide valuable services to the business (and their representatives in IT).
There are some steps security organizations can take to act more like the service organizations they are.
Put up roadblocks only when needed
It’s easier to get people to act when there’s something standing in the way of success. People pay attention when they’re about to miss a deadline or blow their budget, and stopping a project dead in its tracks is a sure-fire way to force a change in course. It’s also a good way to lose the respect of the project manager, and make sure they avoid you in the future.
There are often plenty of good reasons why the risks of proceeding with a project outweigh the business need to complete the project on time, within budget, or at all. Understand these reasons, and articulate them to the business representative before you delay a project. If you can’t articulate the reasons to delay a project, re-evaluate your risk assessment.
Use responsiveness to succeed where others fail
IT organizations are sometimes filled with people who aren’t responsive or helpful when people reach out for help or information, and security organizations often make the same mistake. Pretend for a moment that you’re a consultant, and the person who is reaching out for help is a paying client. Help them as if your job and the success of your organization depend on providing quality service. Repeat this pretend exercise enough times to understand that the business really does pay for the security budget, and they expect to get some value in return.
There are reasons for every policy — understand them
Policies exist for a reason. Every member of your organization should understand the policies, and the reason why they’re there. Someone in your organization should understand the policies well enough to understand the purpose behind each of the policy statements, and be able to explain it effectively to others. If you can’t find a good reason for a policy statement, it doesn’t belong in your policy.
Don’t give up!
It’s not easy to change the groupthink sometimes prevalent in security organizations. It takes some work, takes some practice, and there will be some failures. Keep at it, and don’t give up. In the end, others will stop running away from the security organization, and the process of reducing risks will be much easier.
If you enjoyed this post, please consider leaving a comment or subscribing to our RSS feed to get future articles delivered to your feed reader. You can also click "Buzz Up" or "ShareThis" above to share this post via email or social networking sites.
Comments
No comments yet.
Leave a comment