Essential Truths in Information Security: Be Reliable and Trustworthy
As an information security professional, everything you do has to lead to one thing only: confidence in information.
In order to achieve this, it is of paramount importance to have excellent working relationships with the people who actual use the information in your organization (the users) and also with the owners of that information. More often than not, primary users of information are also considered the owners of that information.
Having a separation between information owners, information custodians, and an information security role is a good thing. It will allow the owners to worry about the quality of the information (including risks that might affect that quality), the custodians to look after the data within the requirements set by the owner, and the security role to ensure that the owners know what level of protection they should require, and for helping the custodians do a good job (see: "Security", whose responsibility).
As such, an information security professional sits somewhere between
the owners of the data, who decide the acceptable level of risk and the
protection required (see: protection does not equal prevention), and the persons doing the actual hands-on implementation and operations of security controls. We are enablers of a business (see: Never say no) by facilitating protection of valuable information assets.
To be able to perform his role effectively, an information
security professional must be reliable and trustworthy.
If the data
owners do not trust the information security professional, they will
not involve him in risk assessment and protection decisions. If the
information custodians do not trust the information security
professionals, he will run into significant barriers when trying to
implement and operate security controls.
It is an essential truth in information security: Be Reliable and Trustworthy.