Wednesday, 09 March 2011

Security must be the Business’s partner

As an industry we seem to be divided into two camps, those selling services and products and those consuming the products and services.

Buy this, to solve that - is not a solution.

Those who sell products and services only sell their product or their service without acknowledgement of alternatives, shortfalls or pitfalls. The tagline is buy this to solve that and that and that… We need a camp 1 that is interested in building a relationship past the sale in order to build a solution. In case anyone is confused – you start designing a solution by looking at symptoms, distilling out the problem (root cause(s)), gauging the risk appetite, defining the processes and the people and lastly, at the very end you start looking for technology to compliment the processes and the people addressing the problem. Sometimes camp 1’s technology or service offering will not address the root cause. Deal with it. Call it investing in goodwill, bank it and remember it.

When you enable business, you are not a cost, you are partner.

Those who buy products and services because the product is rated the best (by someone with no idea about your company or local markets), or camp 1 buys you the most expensive tipple of your choice are not looking after your company’s best interest. Start with understanding your business – what are their needs, the challenges in their sector (locally and internationally) and remember that you are a cost to them. You need make sure that they get the biggest bang for buck – it is your responsibility to ENABLE them to do business at the lowest level of risk that they want to accept. If they aren’t accepting risk and making you accept risk on their behalf, you doing it wrong.

Use those suppliers who have given you goodwill, those who help you find solutions not a new set of lights in the datacentre. You need to build an integrated security service to help your business manage risk – find someone to partner with that understands that. By an integrated security service, I mean all the people, processes and technology are there to enable your business, not for your empire.

Giving back, sharing the lessons and growing the capability of people to see security as a business enabler. We need to encourage growth, research and passion for reducing risk, whether you maintain firewalls, find CRSF attacks or manage information risk registers.

Take a step back and ask yourself, does your business (who you ask for your budget) consider you a partner? If not, you holding the community back…

---
Also at: IT Web Security Summit 2011