Information Security – How to change your colors
One of the biggest problems information security encounters is either the perception or reality of slowing down the business. I’ve encountered this myself in my career. One of the ways I dealt with this problem is through an effective use of the risk assessment process. An effective Risk Assessment process can be the cornerstone or the hub of activity for Information Security. Picture a group that gets involved in all projects from inception to deployment, understanding all the security needs of their customers, providing iterative security requirements, understanding the needs of the different security groups, and providing management with accept risk reduction or a decision to accept some type of risk. Risk assessment requires a robust process that keeps pace with the project and doesn’t slow it down. Security teams need to make sure all risks are known and addressed in some way prior to construction or development. This way IT/Development has what they need to proceed. If issues arise during the construction or development phase they’re more easily addressed in a timely manner.
This can be remedied by a team of risk analysts that are fairly technical, understand technology and security, and know how to build effective relationships with their customers. In my experience, an effective team of risk analysts are not just checklist jocky’s. Checklist jocky’s are slow, don’t generally understand what they’re assessing, tend to get stuck on innocuous issues and definitely aren’t interested in building a lasting relationship with IT/developers or the business. This is what creates the bad impression for the business and technologists. However, an effective team of risk analysts are experienced professionals that know how to ask effective questions based upon checklists, engage the customers in a dialog to “understand” the technology or application in question, and are really interested in cultivating lasting relationships. Additionally, these are folks that can be very decisive as to what constitutes a high risk versus a low risk and provide immediate feedback as to how to mitigate a risk.
Your team of expert risk analysts can identify and qualify the risks and how these impact the business in terms the technology and business customers can understand. Now, its one thing to identify a risk, but a whole different activity to provide a mitigation strategy that meets the needs of the protecting the business while at the same time not slowing the delivery of the project for the business. The identification of a good risk mitigation strategy involves another dialog with the technologists and/or the business to “negotiate” a result that works for both in a timely manner. The other important factor is to not identify yet another point security solution to solve any problems, but instead to find solutions within the context of the entire security architecture first and then if you need a security solution make sure that it fits within this security context. I’ve seen this work to the extent that project teams already start to think about the security issues they’ll potentially run into even before Information Security is involved.
While the above is but a thumbprint of the details you need to be successful, consider that the key points above can be an important foundation to building better relationships with your customers and help elevate your teams to that of trusted advisor and partner. That’s how you start to change your colors.