Making Cybersecurity a Partner to the Business (Or how to avoid being the team of “NO!”)
If we are being honest, we would realize that the cybersecurity team is largely viewed by users of the organizations resources as “the team of NO”! This perception has risen out of the reality of how the cybersecurity team often interfaces with the larger organization. A user needs access to a sensitive file but is not in a department that should have the access, so the answer is no! Someone wants to install some unapproved software on their laptop or even a server, so the answer is no! There are hundreds of scenarios that we could go through, but you get the idea. When someone in the organization requests approval to do something that is not in line with policies or standards naturally the answer must be no. We can’t just allow people to do whatever they want to do in our environment, right? Well, I agree that violations of policy or standards should not be taken lightly and certainly, as the term implies should be exceptions as opposed to normal practice. So, given that situation, how do we change the perceptions of those many users and at the same time keep the organizations cyber resources safe and secure? In my experience we do that by partnering with them to help them achieve their business objectives securely.
But what does it mean to partner with the businesspeople we support. I have developed and acrostic to help us see it. When someone comes to the cybersecurity team with a request that seems way out of line the approach is to PARTNER with them by doing the following things:
Let's take some time to look at these elements in more detail to better understand how they can be effective tools in changing the perception of cybersecurity in the organization.
Probe
The first step in dealing with a request is to Probe a bit. Why is the individual asking for this access or tool or whatever? What are they trying to achieve? You might find out that they have a very valid business need that must be met but unless you probe a bit and ask some questions you will never know.
Alternatives
Once you know what they are trying to do and why they think they need a certain level of access or permission you can begin to look for alternatives. In my experience I have often found that the reason for the request is dur to a lack of understanding of alternatives that may be just as effective in accomplishing their goals but at the same time staying within the boundaries of policy.
Research
Alternative solutions might not be readily apparent so the cybersecurity professional should work with the requester to research things a bit more. Yes, this may take time, but it will provide dividends in the future as I have rarely seen a request that has not been repeated several times over and a well-researched and documented approach can save the team and requesters a great deal of time in the future.
领英推荐
Teach
As mentioned above often the requests that we feel we need to say no to often come from a lack of understanding. It is important to take the time to teach the requester so that in the future they might approach things differently. Don’t neglect the telling them why their approach is not in line with policy or even good practice. Try to help them understand the reasoning behind your lack of immediate approval.
Network
During my career, I have found that I simply do not have all the answers; in fact, none of us do. The mark of a good cybersecurity professional is not knowing all the answers but knowing who or where to go to find them. Networking both inside and outside of your organization is an effective way of identifying those individuals who might have answers that you, or the requester, need.
Exception
There are those times when after all the looking for alternatives, researching, teaching and networking you just cannot find a way forward that is compliant with policy. At this point it is necessary to investigate the possibility of operating under an exception. It is here where many cybersecurity professionals fail. Our instinct is to abhor any exception to the policies or standards that we know are best for the organization. Unfortunately, this often comes because the cybersecurity person sees themselves as the keeper of the keys to the kingdom and fails to realize that the acceptable risk decision is a business decision and not theirs to make. Your role is to inform the business of the risk they are about to take on, force a leader in the organization to accept responsibility for the risk, in writing, and ensure that it is fully documented for review on a periodic basis by the senior executives.
Respect
The final thing to keep in mind is to treat every requester with respect. It is quite common that the businessperson you are dealing may be an expert in their field but has little technical competency. This is where the highly technical cybersecurity person needs to be gracious and respectful in all their dealings. Nothing damages a relationship more than disrespect!? You can do all the other things called out in this article correctly and ruin it all by not showing respect to those you must assist. Don’t talk down to them. Patiently explain technical details in a way that is relevant and easy for the requester to understand. Don’t display frustration with them if they are having difficulty grasping a concept or process. And most importantly don’t get angry if things are not appearing to go the way you expected. Learn how to keep your emotions in check and always act professionally. Basically, show everyone respect and you will find that it will come back to you as well.
Conclusion
I can hear the objections now! “Our cybersecurity staff is already overworked; how can we possibly take the time needed to do this?” ?or “The users in my organization won’t listen, they just want to get on with their task and the heck with security!”. These are very valid concerns and things that you will have to overcome if you are to be seen as an enabling department instead of a roadblock. In some organizations I have worked with we put a first-line support team in place for the cybersecurity function to do the initial contact with the business and either solve the problem or pass it to a more senior person to work through. The result was that we were able to solve nearly 80% of the issues without having to escalate it to the senior staff. This greatly improved the perception of the cybersecurity team with those in the business. Additionally, it provided a way for us to give junior staff a place to learn and grow providing us the ability to organically grow the organization over time.
So what did we learn? If we are to show the organization that we are a partner and not a roadblock or the team of no, we must learn and carry out the fundamentals of partnering by probing to understand their objective, helping them find secure alternatives, performing research to help them achieve their goals, teaching them how to research and find those alternatives on their own, networking to find answers, dealing correctly with exceptions when necessary and finally showing respect to all individuals at all times. This approach does involve resources but the dividends long term are truly worth the investment!
?
Information Security Risk Assessor @ PayPal | Third Party Risk Assessor, Artificial Intelligence
3 个月Great read, thank you Gary! Proactive and collaborative engagement model between IT risk/security experts and the business will ultimately change the “clog-in-the wheel” narrative.
Senior Manager - IT Product Management Lead (PL)
4 个月Loved it. Generally everyone understands the need, and can talk about CIA triad and other security corners, but when developers/engineers get into FireFighting mode , that may be for fixing a prod bug or chasing a very aggressive delivery timeline, thats when security becomes secondary. Adhering to security call outs and listening to security team should be part of reflex, similar like locking the laptop or closing the door while in loo.