Security leaders are, by their nature, paranoid. We spend so much time dealing with security issues and seeing our peers dealing with them, that it's natural to want to freak out when we learn about a new business initiative that will introduce new security risks. The knee-jerk reaction when learning about the new initiative is to say, "no," and to convince the business that heading down that path is too dangerous and risky.
But here are the facts that security leaders must come to accept: If the business identifies an initiative that will return value to the stakeholders, as long as it's legal, it's going to happen. If the security leader tries to get in the way or stop it from occurring, the business unit will simply ignore or circumvent him/her. The most successful security leaders recognize this fact, and once they take that first deep breath after learning of the new initiative, they begin to look for ways to best manage the risks.
How to Manage Security Risks without Saying No
Several years ago, during one of my CISO stints, I learned about a business unit in our company that was using AOL Instant Messenger as a primary communication tool to keep in touch with high-value clients. (I told you it was SEVERAL years ago!). At the time, AOL's Instant Messenger client was extremely popular for personal use, but it was highly insecure and had no enterprise-class features (things like encryption, message archiving, logging capabilities, etc. were non-existent). This business unit was our company's most profitable and fastest-growing unit, and the business unit had a senior leader who was highly influential and very vocal.
My inclination upon learning of this cringe-worthy circumstance was to call up the Vice President of this business unit and, in no uncertain terms, ask him what-in-the-world they were thinking. However, I suppressed my concern and instead called him to simply ask what they were using AOL IM to accomplish for their business unit. What I learned was that these high-value clients wanted near-instant response capabilities and the capacity to see availability (these days, we call it "presence") of their contact, but they didn't want to talk via phone. They also wanted to use a tool they were already using on their computers without having to learn another communications tool.
Once I understood the use case, I offered up a solution that worked for everyone. Our company was using Lotus Notes as our e-mail system at the time, and Lotus offered a tool called Sametime that integrated seamlessly with AOL's IM client. Our folks could use the Lotus Sametime client on their computers and simply configure it with their AOL IM identification credentials, and it would communicate with their clients' AOL IM system such that the client would have no idea that our associates weren't also using the AOL IM software.
Sametime offered the ability to encrypt and archive all communications, as well as full logging of each connection, and our license agreement for Lotus Notes included the Sametime client at no additional cost! All I had to do was explain the security risks to the VP and offer up the alternative solution (at no additional cost, with minimal learning curve), and he was on board. Not only was this good news to the VP, but he got to take a "victory lap" with other senior executives because he was championing security risk reduction AND helping to roll out great new software for the company. A true "win-win"for all! This is a simple (and somewhat archaic) example of how security leaders can help to manage cybersecurity risks without having to say "no."
Look for Solutions Together
Security leaders who keep saying no will eventually no longer be asked to weigh in, and their ability and opportunity to influence new initiatives will be diminished. Those who learn to quickly analyze and process the new initiative and jump in to become a part of the planning and implementation process, while also properly managing risks along the way, will find themselves as a partner and valuable contributor to the business's efforts. So, the next time you're tempted to go off the handle at a renegade business initiative you're just hearing about, take the time to understand the drivers, as well as the business's objectives. Then, possibly, you and your team can find a happy medium that the business will support.
Overcome the Paranoia
As leaders in the information security industry, our team at LBMC Information Security has a unique depth of expertise at your disposal. Explore our Security Consulting services or contact us today to learn how we can help you with information security solutions.
This blog is the fourth in a series by Mark Burnette on security leadership that focuses on key issues security executives face daily and tips for how to navigate those issues with excellence.