Is Your Security Department Necessary?

Tuesday, February 19, 2008 by Mistlee

Is Your Security Department Necessary?

By Dan Morrill

"What do you do that provides value to the company?" With all the companies I have worked with and have worked in over the last 20 years, asking this one question seems to get everyone slack jawed at the interview.

Of course, managers are usually happy with this question while many tech geeky folks are incensed that I would not know what a security department does. While in general we all have an idea of what a security department does, the real question is "what does your security department do for you to make business safer".

The security department is responsible for working with business to bring more secure services to customers, internal and external.

If you are not doing the above, in a sound way, that accommodates budget, (part of every business project should be a security budget), all levels working with each other (developers, security, business analysts, managers, and the eventual owners of the project), and at least trying to identify risk, then the department is not doing what it needs to do. The security department also must have an A level executive sign off on risks, then the initial reason to exist, working with, is not being met.

The failures to do this are legion; there are enough horror stories out there that have customers and business partners quite rightly asking, "What is up with that company". From missing laptops, to credit card systems, to internal business data, e-mail from media sentry, the whole gamut of security issues.

We know all the stories.

What have we done to address the risks that those stories entail?

The security department is responsible for working with business to bring more secure services to customers, internal and external.

We fail.

This gives people like Peter Tippett the opportunity to take us head on, and tell us that our priorities are all wrong, because we are not:

The security department is responsible for working with business to bring more secure services to customers, internal and external.

Doing this.


Walk in to work tomorrow and ask your information security manager:

What have we done to address the risks that this project entails?

It might make it a bad day, or you might just get the attention of many people in the department. Depending on which way it goes there are three ways that this will work out.

The manager will know exactly what the risks are, and how they are being addressed, this is the best case scenario, and the most unlikely.

The manger will not know what the risks are, and will ask you to figure them out. This is the more likely scenario, and one that means much work for the person asking the question. In the longer run though, this means a safer more robust system. This might also tick off everyone you work with, because that means that they have to do more work, or the work they are paid to do. Either one of these will make you instantly unpopular.

The manager will not know, nor will they care, why are you asking. This is the worst-case scenario, meaning it is probably time to find a different environment or wait for that manager to go before you have an informed and effective security department.

This is part two of " stop wasting time and money" or a "perfect world viewpoint" of what information security should be doing for a company.


News Archives About Us Feedback ITProNews Home Page About Article Archive News Downloads WebProWorld Forums Jayde iEntry Advertise Contact

0 comments: