Blog Author
Jon Collins' blog 
11-12-2008 20:11
Security – the glue that binds?
Earlier this year, we did some work for a hardware vendor to help them determine how IT departments could communicate better, and become more multi-skilled. To summarise, there was one key area of common ground between both network engineers and other operations staff – and that was security.
Meanwhile, and also earlier this year, I was impressed by a presentation from an HSBC senior executive at an outsourcing event. He was talking about how the organisation had merged its IT security unit with its business fraud unit, as ultimately both sides were dealing with the same business risk issues.
It was only in a conversation over the past couple of days that I brought the two occasions together in my mind. So here’s my question – could security be the glue that binds not only the different areas of IT, but also IT with the business? I believe the answer is yes, if it is done in the right way.
There are two pre-requisites for this. The first is a recognition that all risk is business risk, for organisations large and small. Like the tree that falls in a forest when nobody is there to hear it, a breach that causes no business problems (either financial or compliance-related) is probably not worth spending too much time on. So, it is the lines of business that are best able to decide what level of risk they face.
The second is an understanding that security is a quality of IT service delivery. While it is technologically complex enough to be seen as a discipline in its own right, equally, this shouldn’t get in the way of ensuring that the security exists as a horizontal layer across the IT environment as a whole. We’ve all heard the clichés – built-in rather than bolt-on security for example.
Given these two starting points, there is no reason at all way security cannot be central to the dialogues both within IT and with the business. What are your experiences – a re we all business risk and service delivery managers now, or will security forever remain the domain of the nerds? I’d love to hear them.
Permalink:
http://www.infosecurityadviser.com/view_message?id=85
Delicious
Digg
Reddit
Facebook
StumbleUponComments:
Of course Jon is correct in this - information security has always been at the core of business risk mitigation, and is essentially a business problem. The solutions may be technological sometimes, but the problem is not technological.
However, the reason right now why security can't be central to the dialogues is that everybody involved in the dialogues has a vested interest. These vested interests vary but none of them have much to do with the security of the business. The Board want to pass audits and get certifications because it's good for the share price. The quick route to this is a convincing paper trail of "processes" whether or not they actually contribute to security; software developers want to use the trendiest tools and techniques regardless of their security or applicability to the specific needs of the business; the IT department wants a quiet life with responsibility devolved on appliances rather than people. To them, information security still equals IT security plus telling staff about the password policy; business managers don't want (and usually don't have the skills) to be involved in systems or process design; everyone has a resistance to asking front line staff what they really need to get their jobs done. And because these vested interests are only thinly (if at all) disguised, every echelon mistrusts the others, so co-operation is effectively impossible.
Nowhere is this more effectively demonstrated than in my sphere of e-commerce development - not just coding bugs but glaring security weaknesses in business logic pervade online applications. Usually these can be traced to inadequate planning, sloppy specification and lack of supervision of the development process, but when the hazards are pointed out the consistent response is denial or emotional defensiveness rather than remediation.
So until we can get the participants to be objective, impartial and prepared to make the necessary effort to ensure things get done right, no kind of dialogue will be effective. As usual, the barrier to progress is a social one, not a technological one.