Typically - and very often for good and genuine reasons - the information security function in many organizations is viewed as blocking business or delaying projects and business initiatives. This results in the common scenario where security is often the last to know about a new IT or business initiative and then has to scramble to provide security input against a looming business deadline. In many cases this means systems go live to meet a business deadline with security issues still outstanding. Promises that these issues will be addressed in the future are always made, but are never fulfilled.
Building trust into relationships takes time and effort. It requires constant communication between both parties to ensure they understand each other’s viewpoints and positions, as well as honest engagement from each party when it comes to outlining their expectations from the relationship. Needless to say, trust is built by delivering on what is promised.
We need to be better at engaging with those outside of security, both technical and non-technical. We need to improve our understanding of their requirements and our ability to demonstrate what is required in order to do business securely. We need to accept and realize that security is not a technical issue but a business one. As such, we should realize that it is the business that decides what to do based on the trusted advice it gets from us.
When I make the above argument I often get the response “Why should we have to understand the business? The business should make more efforts in understanding our requirements”. If we take this approach, we rely on the other party to take the initiative to open the dialogue to start building that trust. If they don’t, security will always be our responsibility and likewise all security breaches and failures will be ours, too.
Building a strong relationship based on trust is a long journey. Someone has to take the first step so others can follow. Let’s reach out to the business, and try to better understand what they are trying to achieve and learn how best to be a trusted advisor.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.