Security experts urge a 'say yes' mindset

By Tim Greene and Phil Hochmuth, Network World
December 19, 2005 12:06 AM ET

. What's this?

NEW YORK - Being an IT security specialist requires a close understanding of business goals, a dose of salesmanship and a willingness to say yes to projects even if it means dealing with new risks, top network security professionals told attendees at last week's inaugural Interop New York.

Security as an enabler of business was a major theme at the show, which represented an attempt by event organizers to revive an East Coast version of Interop to supplement the flagship Las Vegas edition. Organizers had anticipated only 5,000 attendees and could supply no firm attendance figures last week, but the show seemed lightly attended.

"If security is the only thing that drives innovations in your company, you are certainly headed down the road to disintegration," said Dave Girouard, general manager of Google Enterprise, who delivered a keynote address. Security policy setters have to get past the knee-jerk reaction, "When in doubt, restrict access," he says. "You need to think, 'Who can have access to what?' and enable that. It is fundamental to a company's competitiveness."

Some IT security executives at the event said they are already taking to heart the advice from Google's Girouard.

Related Content

"We take the position that security should enable business processes," said Dave Vandernaalt, director of the strategic technology division for the City of New York. "The question is: How do you prove to the business side that you've shifted from being the police to being an enabler?"

The answer involves approaching network security with an understanding that finding new uses for data is essential to successful businesses. Security professionals must help these new uses happen while minimizing the threat that data will be compromised, said Sunil Misra, chief security adviser for Unisys.

Part of the problem is the way security people phrase their advice, said Thomas Dunbar, global IT CSO for XL Capital, a re-insurance firm in Bermuda. If business leaders in the company want to make data more widely accessible, his first step is to see if that can be done without putting the company at risk. "So we say yes. There may be a lot of buts along with it, but we say yes," he said.

Tighter alignment with business leaders is being hampered by the reputation security specialists have for just saying no to any proposal that expands access to data, regardless of its potential business benefits, Misra said. As one of his clients put it, "It's not all about cost and risk avoidance. Figure out what we can do."

Security executives can help themselves by sharing data they already have with business executives in a context they can relate to, Vandernaalt said. For instance, his department knew the percentage of city government computers that had anti-virus software properly configured and updated. He converted that department-by-department data into a pass-fail rate and distributed it to department heads.

When a virus hit and prevented departments from working, he referred to those numbers to demonstrate the importance of anti-virus compliance. "There's an awful lot of stuff we measure that can be converted into numbers business executives understand," he said.