The road worth taking
By Tim McCreight
The readers who have followed my column this year have been on bit of a journey with me. We have looked at a new way to add value to an organization from the security team — identifying risks facing our business units and working through the lifecycle of risk management with business leaders as partners, not adversaries.
By Tim McCreight
Is it worth it? I personally think it is — and I’m not alone. From international standards through to practitioners writing for this magazine, we are learning more about this new path security professionals are taking within their organizations. We’re seeing successful security executives lead their departments from reactive, response-driven structures to proactive, risk-based teams.
New security executives are focusing on how they can work with business units to understand the culture of their organization, and appreciate the company’s tolerance for risk. Some are even getting a chance to deal with executives at the C-level, presenting objective risk information that can ultimately aid the organization in achieving its strategic business goals.
This isn’t the case for every company, though. Some continue to believe that risks are best left unaddressed, or the work required to identify, document and address risks isn’t worthwhile. Some executives disapprove of the time and effort required to identify and document risks, determined to relegate the security team to their more traditional, operational tasks.
Many executives continue to cling to the notion that bad news doesn’t need to move upward — no good can possibly come of advising your senior executive about something that could maybe/possibly/potentially go wrong. That sort of information doesn’t serve any purpose. They will suggest that perhaps you can discuss that report in a more operationally focused meeting.
That’s truly unfortunate, not only for the security professional struggling to adapt to ever-changing threat vectors, but also to the companies themselves.
The death sentence for any program started by a security professional to identify and document risks is the ever-feared tactic of placation. Dutiful security executives conduct risk assessments, document their findings, work with project teams to vet their results and then valiantly attempt to present their objective and research-based findings to senior management. And in that meeting, crickets can be heard.
We have heard from many other writers the concept of executive support and “buy in.” That support is critical for your successful journey towards becoming a more risk-based, business-focused security team.
Without this ongoing executive commitment, any progress you make is at the whim of your executive, leaving you stranded without any assistance. It can be a very lonely, unsatisfying walk back to the start of the path, taking an incredible amount of effort, time, and good will as well.
I’m not saying this journey isn’t full of potential obstacles, roadblocks and misconceptions from non-security professionals. It is a worthwhile adventure but I want to leave you with some hard-earned advice.
I appreciate our role in many organizations is changing. We have traditionally held a position akin to the gatekeepers of old — none shall pass, unless we allow them to. That mindset and role have changed, and security professionals who see the value of what they can bring to an organization realize managing the risk lifecycle is an important contribution to any organization.
Find executive advocates and supporters for your move to risk-based, business-focused security and keep them apprised of your progress. Just make sure you also get their written approvals along the way.
Tim McCreight is a managing consultant at Seccuris (www.seccuris.com).