Security advice - Profit prevention or new business enabler?

Are security fears putting the brakes on true business innovation?

As much as it pains me to write it, I have to reluctantly admit that security is often the excuse people give for rejecting change and turning away genuine business innovation.

Sometimes this inertia is completely appropriate, but in many cases the decision to stand still has not been based on any qualified analysis. Too often it's driven by second hand information gleaned from the Internet and a lack of clear understanding of the facts. Hardly surprising when you consider the proliferation of opinions and half truths that make up the information overload of cyberspace.

However, my personal belief is that too few security professionals are tasked with implementing change securely within an organisation. They are tasked with preventing security problems, and are allowed to block changes without evaluating if the proposed change is worth the security risk. A question they don't have the tools to answer. That's why our Managed Security services are booming, organisations give their challenges to me to worry about.

The way businesses think about security often starts at the wrong point. Instead of coming to the table with a request for access that is un-workable "the auditor NEEDS full admin privileges so he can run some scripts", "the sales team NEED direct wireless access to the Internet without a firewall to demonstrate the product" etc, the approach should be to present the requirement not the method of achieving this requirement. This allows the security experts to devise a way to achieve the result without compromising the network security.

Used correctly your security expert should be there to help you fulfil the business need with minimum risk to the organisation - By arranging for the administrator to run the auditor's scripts or providing wireless access through the firewall so the product can be correctly demonstrated. And where your security officer rejects the proposal, he should be able to point to a methodical analysis that holds water under scrutiny and allows the CIO/CEO to support his judgment call. And this analysis should take into account your environment, your business and your risk profile - after all not all organisations hold military secrets or deal in derivatives. To make this happen, you need to involve your security officer early enough in projects to get the best from him.

So the solution is more qualified security officers not less. But in the interview, ask the candidate to explain exactly how he has personally implemented a firewall, VPN or virus solution. Even if it is ten years ago, it will demonstrate applied knowledge and help filter out the administrators from the leaders. Then make sure the candidate has an understanding of business (try asking about Michael Porters' "first mover advantage"). A business focused candidate should understand that university life will only get you so far without the relevant reading.

Lastly, ask a question that would offend a job applicant looking for his first job - if this doesn't provoke a response of righteous indignation, you might not have the right person to push the CEO and CIO to re-evaluate their approach. With the right person on board, there's only one reason why the security officer shouldn't be a positive force that helps your organisation embrace new technology without fear. And what's the reason? Well, you don't let him!

Agree or disagree? Send us your views and we’ll post them on the site.