The tactics and personalities assumed by security teams have bred some rather novel approaches for implementing and promoting security practices within organizations. We've likely all seen the iron-fisted security group, which prefers the stick over the carrot, and tries to garner support and compliance through the spread of fear and uncertainty. Having seen an information security manager brute force C-level executive passwords and post them for all to see, I long ago concluded this approach doesn't work. Too often, security professionals damage relationships with key stakeholders through such aggressive tactics.
Other security teams attempt to raise awareness for their practice through the more benevolent approach of security metrics. But implementing metrics that demonstrate the monetary value of a security practice to the C-suite is a conundrum. Realistic security metrics related to monetary value simply don't exist and never will except in a very few unique, isolated scenarios.
While their approaches are radically different, the iron-fisted and the metrics-minded security professionals are trying to accomplish the same goal: garner support for their initiatives. A better alternative is to use a service model.
In order to survive and demonstrate true enterprise value, security teams must re-commit to a service-oriented approach. Even if a security organization already enjoys support within the C-suite, positive working relationships generated by a service philosophy will always result in stronger, more robust security practices. A service-focused approach must accomplish five things:
- Align with business needs: This is obvious, but oftentimes business groups have pent-up demand for security services that aren't being fulfilled, such as employee forensic investigations or employee/contractor security training. Frequently, such demand doesn't require a whole lot of digging to uncover. A service mindset always looks for easily aligned services that can help establish the information security brand and focus within an organization.
- Be timely and responsive: As with any service, timeliness and responsiveness is integral to a security service's success. Especially within IT, when particular security services (such as an information security project risk assessment) are likely to be viewed initially with skepticism, a security team must not be seen to stand in the way of a project's timelines. This also means getting involved early in projects so that any security holes can be remedied as part of standard project activities.
- Provide quality: What good is a service if it doesn't fit business requirements? If security recommendations are over the top or not properly thought out in relation to operational business constraints, they will be dismissed, and rightfully so. As a result, the business may not be quick to re-engage security on future projects. Quality security offerings must demonstrate a sound awareness of both security principles and business operations.
- Use salesmanship: A service-oriented security team doesn't necessarily mean performing new and exciting security activities that have never been tried before. What most likely changes is the approach to the activities performed. How does one sell the concept that a security assessment is really a needed service? With earnest, well presented salesmanship. Frankly, not all security professionals are up for this challenge.
- Be pragmatic: Let's be honest with ourselves: Information security is not the most important aspect of any organization, private or public. It's an organizational enabler in the best of times, a risk-mitigation practice in the worst of times, and security professionals need to accept this. Too many planned security initiatives or goals are so burdensome to an organization that they do not make sense to pursue. Too many security professionals unreasonably hinder a sound business project because of security concerns.
Pragmatism, however, shouldn't be confused with cow-towing or compromising on issues we know are important. But supporting and enabling business goals and being seen as a valued contributor to the enterprise is part of a service-oriented mindset. Pragmatism is good for everyone, including your security initiatives and goals.
Leonard C. Wiens, CISSP, CISA, is manager of information security services at Husky Energy in Calgary. Send comments on this column to firstname.lastname@example.org
This was first published in May 2009