The meeting was proceeding well. The client we were advising had assembled a team from across IT: systems, applications, network, storage… "Where is security?", we asked. "We didn’t invite them – they just say no to everything and slow the meeting down. We'll pass the proposal by them later".
The meeting was proceeding well. The client we were advising had assembled a team from across IT: systems, applications, network, storage… "Where is security?", we asked. "We didn't invite them – they just say no to everything and slow the meeting down. We'll pass the proposal by them later".
This was a classic case of the CSO having a reputation of being the CS-NO. If you're the kid who spits on everyone, eventually you are banned from the playground. Never mind that multiple studies show that the sooner you involve security, the more secure and cheaper the outcome.
If only this was the first or last time we heard this sentiment. Across the board, in some of the most important emerging transformational technologies, the security people are uninvited: virtualization, unified communications, social media etc.
Before we start heaping blame on the groups that uninvited security, the irresponsible people who are risking the security of the company, let's look a bit closer to home. There's a reason why the security people get uninvited – we often have our priorities upside down.
What is the priority of a chief security officer? Is it to secure the company, above all else? Absolutely not. A narrow focus on security above all else may perhaps be the prerogative of the security engineer, but at the C-level the priority as always running the business. The CSO's job is to enable the business by finding ways to say "yes" to innovation and "yes" to productivity while balancing the risk and reward of each decision.
A good CSO needs to be able to say "yes, but…" and offer solutions that mitigate the risk of a new technology. For example: "Should we allow and even encourage the use of social media?", "CSO: Yes, but lets have some acceptable use policies and protect against web-based malware". It's a lot harder than just saying "No".
If security is seen as the barrier to innovation, then security will always lose. Every single time, business imperatives will override difficult-to-measure risks. Every time you say "no", you reduce the credibility and relevance of the security organization until you are left with none.
Of course, there are always circumstances where "no" is the right answer. But those circumstances are pretty rare and they are usually quite easy to support. The vast majority of CSO decisions should be about mitigating controls to enable innovation and productivity and should start with "Yes".
So let's practice, all together now: social media – YES, instant messaging – YES, mobile devices – YES, teleworkers – YES, collaboration – YES, virtualization and cloud – YES. Start with "yes" and then work out how to make it happen without unnecessary risk – That's the job of the CSO.