IT Security Teams Enable Business
Having an IT security team is an imperative for all companies, not just those in the enterprise space. This dedicated set of eyes is essential for small- to medium-size businesses (SMBs). It is imperative that security team members have a clear understanding of their role as a support to the organization and that their success be measured by the business team's success.
While it is easy to assume that IT understands its role in enabling business, the reality is that IT finds itself out of alignment with the business all too often. This was recently highlighted in a Network World piece on the Cloud Security Alliance Congress keynote by V. Jay laRosa, ADP's senior director, converged security architecture: "As security practitioners here, the problem is not with the cloud but with us, with our ability to evolve." He went on to add that IT security managers are often seen as barriers to innovation.
IT Security Barrier?
LaRosa's statement is accurate in many cases. The IT leadership team, be it at an enterprise or an SMB, frequently finds that its CIO has no seat at the company strategy table, and the security team is even less welcome. Why? It is largely due to the perception that the security team is an impediment to the business; it is the "no" team. This dissociation between the perceived goals and metrics of the IT team and the business team creates an artificial conflict, especially problematic within an SMB, where collaboration across company units is paramount for success.
The business team's goals and metrics are easily understood: They provide goods and services that the market desires, retain current customers and obtain new customers. There is little difference in scope between an SMB and an enterprise in this regard, but the security team is a different story. In general, the goals and metrics of the security team are to minimize risk and reduce the number of security incidents that could derail the business. An enterprise has an advantage when it comes to technology and headcount whereas an SMB may be more resource-challenged. The commonality lies in the natural tendency for the business team to expect security to focus on the minimization of risk so that a negative security event does not happen in the first place. Typically, IT teams, when asked to embrace an innovative technology or means of engaging a customer, are perceived as simply saying "no" in order to minimize risk. These perceptions must be adjusted.
Embrace Change with Innovative Business
LaRosa points out that the IT security professional should "never say no." Indeed, the conversation has to shift; the desire to embrace change and innovation means that an SMB needs a dedicated and focused security entity. A team that can embrace innovation will find its internal client eager to engage.
The road forward will not always be free of obstacles. There will be times when the IT security team just doesn't know, and in admitting a lack of understanding of or solutions for an identified risk, it provides added value. When unresolved risks are called out, IT professionals outline a road to mitigation. Once the business team has been offered choices, it has the information required to make an informed decision, such as to defer implementation while the identified risk is mitigated; to proceed with the knowledge that both risk and a roadmap to mitigation exist; or to acknowledge the risk and to hope that it does not become a reality. For IT security teams, their value-add is magnified when providing solutions and options that align the company's goals and metrics.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.