Information security, like a post pubescent teenager, is struggling to shrug off the mistakes of the past.
Many of us remember our path to maturity as one of awkwardness, your adult body setting the wrong expectations for your childlike mind and your responses to new and novel situations often involving lashing out. Of course at the time you didn't know that you were doing this, indeed, any probe by an adult into your irrational behaviour would have been met defensively and loudly.
The information security world has gone through this phase, and now finds itself with both an adult body and adult mind looking back at itself and wondering 'what was I thinking'. We've all come across the old irrational way of doing security; a business change request to leap onto the latest innovation, to be ahead of the curve has fallen flat at the last hurdle - security.
When probed as to why it couldn't be done, security has locked up tight, reacted defensively and slowed the process down while a ‘review' gets underway. More often than not a self-styled expert proverbially kicks the tyres before loudly proclaiming that the solution is safe. Again press them for details as to why it is safe, and they would baffle you with technospeak.
The new way of running a secure environment is one based on risk. An approach that considers the business impact of putting in place security controls over not putting in security controls then wrapping this up in a statement that business people can understand. This enables the business to understand the problem before they make the decision.
Lest we forget that while security may hold the keys to the gate; they do not own the kingdom they guard. Perhaps ironically security should be transparent, it should be simple to see why we are doing things the way we do, and it should be simple to quantify the business benefits against the cost of implementation and maintenance.
Of course the adoption of this new way of thinking is slow and like the post pubescent teenager finds; it can take a while to heal the wounds you inflicted during your ‘growing phase'. It doesn't have to be this way.
In the modern world, businesses that are not agile will surely fail or at best fail to make as much money as they could. Business leaders need to call in their security teams and get them to explain to them in simple terms what they are doing and, most importantly, why they are doing it. Business leaders need to understand that the sky isn't falling and that the decisions made in the past may have been more about a young industry making its mark rather than best business practice.
Leaders, do not let security run rings around you, learn to trust those that can explain why you need to spend your money and question them. If you find that someone struggles or cannot fairly and realistically justify a security control then they need to do something (anything) else. Watch out for the Judge Dredds of the security world, they are a throwback to yesteryear when we needed someone to make a quick call based on instinct.
Keep an eye out for the gems in your business and nurture people from customer-facing roles; people who strive to help are the people you need.
Security people out there need to watch out for the word 'no' and replace it for the word 'sure' followed by 'let me work out how to make that safe'.
Lee Barney CISSP-ISSMP is an information security risk management consultant