Chapter 8. And in This Corner, It’s Security Versus the Business!

Ben Smith

Too many promising careers are derailed by the belief that working in information security is purely a technical job.

Many of us arrive into the information security space via the technical realm. Perhaps you got started through hands-on configuration of firewalls and routers, or managing your organization’s domain server, or developing secure interfaces to databases, or working an IT helpdesk where you kept raising your hand when someone called in with a security question. Or all of the above.

And as your knowledge expands, along with your career, you may even move up within your organization: from a frontline engineer or analyst, to a network architect, to a team lead, to a people manager. Each step up the ladder tends to expose you to a wider set of technologies and responsibilities.

At some point during all this upward mobility, a light bulb switches on. Some of us notice it, but many do not.

Every organization grows silos over time, partitioning corporate functions into separate management buckets. It’s expected, and largely natural, but over time the presence of these silos can be unhealthy—even a threat to your organization’s ability to scale your business.

Nowhere is this threat more pronounced than in an organization where the information security team is unaware, or unwilling, to take the time to understand the needs of the business. It’s sometimes easy to forget that you are ultimately employed to support the business. You can’t view yourself only as an investigator or an enforcer.

You are part of “the business,” whether it feels that way or not. And, as an information security professional, if you don’t understand how your department fits into the broader goals and charter of your organization, you’re doing a disservice not only to your boss, your team, and your company, but your career as well.

But I think you already know what I’m talking about. More than once, you’ve commiserated with your information security coworkers about “those people” who just don’t get it. “Can you believe that marketing set up their own web server?” “Why don’t our executives appreciate why we need to secure that data?” “Yeah, she just walked out of here with that laptop. I don’t think her boss understands it’s much more than simply theft of a device.”

Far too frequently, what’s happening here is that different languages are being spoken. It’s like an English speaker and a German speaker attempting to communicate with one another—each speaker may divine a hint of what the other is saying, but both ultimately are speaking past each other. And when that happens, there is no communication at all, only noise.

Security and the business don’t have to have an adversarial relationship. They should not. They must not. Remember, both of these teams are ultimately operating under the same charter: protect and leverage the intellectual property of the organization to maximize revenue and/or delivery of services.

Your job, wearing your information security and risk management hat, is to help educate your business peers: while you and your team bring specific skills and tools to support this charter, it is the business that ultimately owns the risk for any specific project. You can help them achieve their goals, and your goals, at the same time—but only if you know how to speak with one another. It’s a partnership!

Be that wise information security resource who takes the time to get to know your peers within the business line(s) you are supporting. Become the key translator in your group who can speak both languages.

Your career will thank you.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
34.206.1.144