Information security and the business need to be in a partnership, not a dictatorship with one party demanding the other follow certain rules and guidelines. Through a true partnership, information security risks can be mitigated and business disruptions limited, thereby creating an improved relationship and organizational efficacy.
While this struggle has been ever-present in organizations for quite a while, it's time to change. Information security professionals can lead the charge by helping the business learn more about why security professionals do the things they do, how ignoring security practices can impact the business in more ways than just updated passwords and patches applied on Tuesdays, and how being mindful throughout this journey will bridge the gap between business needs and security assurance.
Start every day with a piece of P.I.E – Positive Impact on the Enterprise
It's important to know your business partners: what's important to them, cost savings, expanding the business, mobility, etc. By understanding the goals of the business, creating a "positive impact on the enterprise" will be attainable. We will explore strategies to imbed Information Security into the day to day operations of the business, which will ensure information security has a seat at the table.
Making Information Security strategic to business innovation
Innovation seems to be the latest in a long list of buzz words related to how business needs to get done: Burning Platform, Bleeding Edge, Moving Parts, Thinking Outside the Box, are examples of overused phases which ultimately mean the same thing. How does business come up with a truly unique solution to a problem? As an information security professional, your ability to adapt, support, and protect the business as innovative ideas are implemented will secure your status as a trusted partner.
Closed Minds lead to Closed Doors
To secure a seat at the table, your ability to balance protecting the business and support innovation without jeopardizing the company's security profile is essential to becoming a trusted business partner. Sacrificing efficiency for speed when the risk is justified may need to be considered.
Business Proficient
As the business moves forward with innovation, you must keep up with the trends and changes of the industry. Understanding the industry as a whole is essential to help guide your business partners with critical information security decisions. Acquire detailed knowledge of your company mission and strategy for growth and innovation. Engage your business partners to understand their goals. With this knowledge, you can be adaptive to the needs of the business and recognize process discipline must serve the business outcome; it is not the outcome itself.
Be a Liaison and Ally
To be a liaison to the business, you need to be the point of contact (or that point person) the business can turn to to help meet their goals and at the same time control risk to the business. Allies can be made throughout the business, not just at the executive level. It's critical to always leverage day to day interactions with all levels of management and staff to form those relationships which will lead to a voice in the room when decisions are being made about new business initiatives.
Be brave, take risks to reap the benefits
Our main objective is to protect the business from risk which will be detrimental, however we need to also be willing to support the business with risky endeavors. The art of understanding risk will be key to supporting the business innovations without jeopardizing the entire organization.
Sustainability
As important as safety is to manufacturing companies, the information security program needs to work to achieve the same level of importance. Information security must be a part of all corporate processes to ensure additional risk is not introduced. Continue to own a seat at the table and influence change to insert information security into the culture.
The Wrap Up
These are just a few things that will be discussed during my session, "Bridging the Gap between Enterprise Information Security and the Business" at InfoSec World 2016. We've known for some time that security needs to be a business partner; now is the time to affect that change in your own organization with a few tips and tricks which can be implemented as soon as you return to your office.
About the author: Dave McPhee is an Information Security Manager at Caterpillar, a Fortune 100 company. Dave has a broad background in management and technology with progressive experience in IT security, project management, systems support, and application development. He supplies a unique ability to analyze systems and applications, identify business and regulatory requirements, and translate requirements to security and business solutions. McPhee will be presenting at InfoSec World 2016 on Wednesday, April 6th.
