Article by Shawna Turner-Rice
Recently, there’s been a theme in my head about how security, while perceived as an individual sport, is a community based team activity.
In fact, I can think of no aspect of security that doesn’t require a collaborative effort. My belief is that it reflects the more collaborative, integrated (networked) nature of work, computers, and ultimately people today.
Want more security budget? While the idea of what the security team wants to spend it on might be containable inside the security team, it doesn’t stay there. Success comes from working with the Board, the lines of business and the executive team to make sure that the final budget has the right balance between the goals of the business, ROI and risk.
Want to change a corporate security policy? It can’t be done without the active involvement of your legal, HR, executive and security teams. That cross section of the organization will probably reach out and get even more organizational representatives to trial the idea. Then there’s all the training and management support that follows on, once the policy is officially rolled out.
Want to add layers, or change your defense in depth approach? Your Information Systems team is just the beginning. What business unit will you impact? How will they be impacted, and when is the optimum time to do this? Depending on scope, this could even ripple through your business continuity program.
Why is this that it’s all human centric important? Because so often, we forget that change starts at the organic level. Many security practitioners or leaders come from an engineering background, and lean toward expectations around how data is the (only) answer. I’m opining that data is incomplete without context, and context is derived from interaction, typically not just on a system level, but with people.
I know some security people think we can reduce all security concepts to the CIA triad. I’d like to propose that we should reduce all security road maps to conversations and their outcomes.
The minute we think we can “mandate” a thing without a conversation, we’re probably out of alignment. If you try and play football (American or World) with just one person who isn’t working within a team structure, the game doesn’t work out so well. No matter how amazing the individual, without the support of their team, no goals happen.
Can’t get your CEO on board with the latest security needs? Why are you going it alone? Influence the people that influence the CEO. By the time you are done influencing them, they have probably influenced you too, and two things happen. Your proposal is better-rounded, and now there is broad support, raising your odds of success across the whole company, not just with the CEO.
You’re in a market segment (like financial) where consumers feel they have an opinion about your security rights and obligations? Why not find out what they think, and share data with them? If they know what you do, and what you don’t yet do (and why not); you gain trust.
In addition, by talking to them, you stand good odds of gaining insight that might change what you were planning. Suddenly collaboration is taking you in directions that you would not have found on your own, but everyone feels like the benefited. Isn’t that a desirable outcome?
I’d love to hear about how reaching out to people helped improve your security, and I’m sure others would too. Please drop a comment either here or on Twitter.
Cross-posted from Tripwire's State of Security