From Obstacle to Ally - Repositioning the Security Team

Friday, March 30, 2012

Steven Fox, CISSP, QSA


Business people have a conflicted relationship with the IT security team. 

One the one hand, they concede the role the team plays to ensure compliance with regulatory mandates and the protection of corporate assets. 

On the other hand, the team is often perceived as overbearing and out-of-touch with business needs.  When they don’t understand the needs of business, they are subsequently treated as cultural outcasts.

In her book, 8 Things We Hate About IT, Susan Cramm described common frustrations held by business professionals against IT staff.  These animosities are also directed at the security team.

The security team limits managers’ authority

“When challenged,” said Cramm, “IT justifies red tape as necessary because the business makes half-baked requests and is clueless about enterprise impact.”  IT security is perceived as playing the role of the beneficent ruler that imposes restrictions on citizens to protect them against themselves.

Many companies perceive the information security function as a cost center, which seeks to constrain processes to which staff and management have become accustomed.  The frustration borne from this perspective adds to the cultural divide between these functions. 

Rarely are non-security staff engaged in risk control discussions – a lack of interaction that serves to disenfranchise those who will interact with the controls.  This engenders a sense of powerlessness that leads to passive sabotage of initiatives intended to further the business.

Team members are condescending

The arrogant IT professional is a familiar stereotype lampooned in numerous television comedy sketches.  Although most security professionals do not conform to this caricature, the prejudice of business people sometimes leads to a self-fulfilling prophecy. 

Ironically, many security professionals feel undervalued by their business counter parts.  Members of the security team “often feel just as frustrated by managers who treat them like servant-genies,” wrote Cramm.

The needs of the business are not understood

A successful business relies on being responsive to a dynamic competitive environment and to the accompanying opportunities.  Al Kuebler, author of Technical Impact: Making Your Information Technology Effective and Keeping It That Way, highlighted three drivers common to all business decisions.

  1. Cost avoidance
  2. Improvement in productivity or service delivery
  3. Increased revenues

The security function, however, focuses on regulatory compliance mandates and minimizing the potential risks to organizational assets.  The manner in which this goal is pursued creates tension in organizations where risk is interpreted as opportunity.  In these instances, the security function is seen as an obstacle to success.

The team proposes “deluxe” when “good enough” will do

Business professionals are apt to use automotive brand analogies when discussing the cost/quality aspect of a solution, e.g. a “Buick” or a “Cadillac” product/service.  If a set of low-risk assets were compromised, the mitigating controls would be part of a Buick solution.  Conversely, a Cadillac solution is appropriate for high-risk assets.  This reflects a cost-benefit analysis of a security vs. the projected cost of a compromise.

A common prejudice against IT professionals is that they will recommend a Cadillac solution when a Buick will accomplish the job at a lower cost.  This stereotype is borne from a tendency to over-analyze a business problem and recommend a solution that addresses all possible implications of an incident.

IT Security projects never end

“It’s not that IT projects are never completed on time,” said Cramm, “it’s that they never feel completed at all.”  She points to a lack of consistency between functional requirements and the features delivered by an IT system.  This problem is perpetuated by the IT team’s expectation that their technical staff have the skills required to elicit business requirements.

Security teams should use compliance mandates as a context for risk discussions and for implementation scoping.  It is easier to market investments focused on high-risk issues over the next two quarters, for example, than to secure budget for a long-term security program. 

Linking these control recommendations to compliance drivers allows the security team to address technical concerns while addressing management priorities.

IT Security does not support business innovation

Business is about being responsive.  Change comes in different forms – technological advances, new competitors entering the market or old ones going out-of-business, or the fickle nature of consumers stimulating adaptation.  From a business perspective, innovation must be executed to take advantage of change while minimizing risk.

IT Security is about enabling business while protecting the organization from external and internal threats.  This mission constrains the options available to the business, thus creating a perceived lack of competitive agility.  Separated from the business decision cycle in most organizations, the security function is left to act on incomplete messages from its customer.

IT Security never has good news

“No matter how much you spend or how hard you work, the promise of technology seems perpetually beyond your reach,” said Cramm.  Business professionals are accustomed to realizing measurable benefits from their investments.  They can refer to case studies to support the consistent Return-on-Investment (ROI) for a given solution.  The security function is handicapped by the lack of these success stories. 

Their guidance is backed by industry-based practices and regulatory guidance – all external factors that rarely connect with the organizational mission.  Additionally, the outward manifestation of effective controls is the reduction of incidents, not an improvement in measures that are in the forefront of business attention.

While the IT security function is perceived as a cost-center for the company, it is possible to shift this perception by identifying and solving business problems that have an IT component.  These efforts, however, need to be promoted for all the organization to see. 

The corporate landscape is replete with budgetary battles between departments.  The Security Assurance story must be told in a compelling fashion that communicates its value.

Lack of political awareness

Many IT people consider politics a “dirty word”.  Business stakeholders, on the other hand, recognize the political realities of the business environment.  They study the political patterns of the company in order to position their departments for success or further their agenda. 

While exceptions do exist in highly political environments like the automotive industry, IT Security departments lack the political awareness to function at the same level.

Political awareness can be distilled to knowledge of the following:

●  Decision makers and what they care about

●  True business drivers behind security investments

●  Team dynamics

The security function must understand the goals of those to whom they are marketing.  Given the separation between IT and the business, it is difficult for these goals to be determined without the help of business allies. 

These alliances are forged by helping business stakeholders solve problems consistently.  The security team must be able to evaluate the value of different relationships and its ability to reciprocate on the resulting benefits. 

Additionally, the team must scope the nature of the partnership in order to optimize its positioning.

Cross-posted from the McAfee Security Connected blog

Possibly Related Articles:
Enterprise Security
Information Security
Compliance Enterprise Security Budgets Security Strategies Leadership Innovation Information Security IT Security Susan Cramm
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.