A common problem for information security professionals, is that security is perceived as a business blocker; hindering the operational efficiency and adding controls that make everybody’s life more difficult. But is this actually the case?
Sometimes it is…
Indeed sometimes, it is the case. Someone has the most brilliant idea: let’s implement these security controls to be the most secure organization ever. Unfortunately, the problem is that the security controls may add unnecessary burden. As an example, do you really need to expire passwords every month, in a system that is only accessible from a specific room? (air gap). If you want to find the answer, you have to identify the rationale behind frequent password changes.
Can we change it?
Of course we can. Similar situations and box ticking scenarios give Information Security a bad name, but we don’t have to do it that way. What you really need is Information Risk Management. Instead of implementing security controls, change mentality and strategy to managing risks. Your organization’s business functions need to be engaged in identifying business risks. Risks must be made visible to them, and they need to be involved in the risk treatment decision. If you decide to mitigate the risk, and you can do so with Technology, then go on, use your Cyber Security and Digital Security teams if you want - since these seem to be everybody’s favorite buzzword these days. But this is just one of the many cases.
Information Risk Management as business enabler
Always keep in mind that risk treatment does not necessarily mean risk mitigation. It may also mean acceptance, or avoidance - or even transfer; hence less or no efficiency-hindering controls at all if they are not needed.
Also keep in mind that every risk provides an opportunity. An opportunity to change and optimize processes, improve operational efficiency and business resilience, minimize exposure and unnecessary steps in your workflows. These are things that your business partners will understand and appreciate. And that’s how you can transform the “blocking Information Security” to “business-enabler Information Risk Management”.
Do your homework
On your way to “sell” Information Risk Management to your company, you have to do your homework. You have to build strong relationships with Enterprise Risk Management and IT / Technology Management, because these two are your allies in improving your organization’s risk exposure. You also have to involve all business stakeholders and function heads early. Like any change management project, early stakeholder involvement and buy-in are crucial in it’s success. Do not forget to also build a good relationship with Marketing (for risks affecting corporate image) and Legal (for risks that may impact legal or regulatory compliance). You may find these two functions to be very supportive, if you explain to them potential impact. On your personal development front, start thinking in business terms instead of technology terms if you haven’t done so already. If you think that business is a strange word for you, you may really be in the wrong profession. Risk and Security are not primarily technical functions, despite the fact that they are usually covered by people with technical / technology background.
It is true that many times, technology will be the only solution. Don’t be afraid to use it. Most companies have accumulated Technical Debt and fixing it without technology is not easy. But if you can help the organization to get rid of that debt, you will enable it to develop its business with more flexibility, having a competitive advantage against companies that just do Cyber/IT/Digital security and box ticking exercises.