Monday, May 19, 2008

Essential Truths in Information Security: Never say "no"

The security guy always says "no" is a phrase that is heard all too often. Unfortunately, it is usually a phrase based on the reality in which people work. Even if it is not actually the case, often people will think it is. Perception is reality.

Information security has a bad name. We are the people who always tell others that they cannot do certain things in ways that they feel they need to do them. Often, we do not even give them real reasons: because that would not be secure is not sufficient. As a child, there is nothing as frustrating as a parent saying: because I told you so.

When addressing requests of users, the most important thing to remember is that an information security professional is a service provider, and service providers never say no. It is in our best interest to keep our users happy, to guide them and to educate them about how to go about certain things. If we really feel that a request is unreasonable, we should be able to convince the requestor of that, and have him withdraw that request himself.



If that does not work, just about anyone in an organization has someone who outranks them. As an information security professional, we need to know who the most senior members of an organization are, and more importantly, the senior managers need to know who we are.

The person saying no should not be the information security professional. Our job is to identify risk, and have someone else decide if that risk is acceptable. Once that assessment has been made, we will design, implement, and operate security controls that are designed to help people do their jobs better.

We do not say no. Business representatives do.

By constantly reminding everyone in the organization that we are not there to make their lives harder by blocking them from doing things a certain way, but that we are there to make their lives easier by providing them with reliable information and with reliable information systems, we will be looked at much more favorably.

Once we get the reputation that we are there to help make things better (remember, perception is reality!) People might even come to us early on in projects to ask for our input when a project is still young.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.