On Being the "Department of No"

Thursday, February 03, 2011

Robb Reck


When we discuss metaphors for an information security department, we often talk about things like a traffic cop (giving out tickets for breaking the rules), or a referee (looking for those who play dirty).

The problem with those examples is that we’re portraying security as something to be avoided, whose primary contribution is punishing negative behaviors. It’s precisely this type of implementation that has led so many information security departments to be thought of as the “Department of No.”

Being known as the “Department of No” is problematic. Once a reputation is established that information security is where good ideas go to die, people will start finding ways around it. Projects will get pushed through without security being involved or without being involved early enough to make a difference. Employees will structure their projects in such a way as to narrowly avoid getting security participation. Generally, security becomes a hindrance to the company, rather than the asset it needs to be.

The metaphor that best fits what information security should be is that of a skills coach. Be it a hitting coach in baseball or an offensive line coach in football, the skills coach exists to identify areas for improvement, and come along side his charges, to build them up.

While the cop or referee is there to identify mistakes and levy a punishment for them, the coach is there to help grow the skill-sets and foster the attitudes that will result in improved performance. The skills coach works as a partner with his players and helps them grow to become better contributors to the team.

Simply put, we can best avoid the “Department of No” label by saying “Yes” more often than “No.” And we can only do that if we are actively involved in the business of our coworkers. When we get involved with their procedure-level activities we can offer practical assistance in ways to become more secure and efficient. Once we get elbow deep into the work of our coworkers, they won’t be coming to us asking if their insecure systems are okay, instead we will have already created a secure system working side by side.

We are not the head coach of our companies. That’s the job of management. But we have been brought on board to give specific advice on how to perform their jobs the right way. By involving ourselves in their work before the security questions are asked, we can spend more time teaching, and less time fixing mistakes and saying “No.”

Cross-posted from Enterprise InfoSec Blog from Robb Reck

Possibly Related Articles:
Enterprise Security
Policy Management Chief Information Officer Information Security Infosec
Post Rating I Like this!
Adrian Wright This is all very true and something I incorporate into the many presentations I give on 'why security isn't working'
The negative perceptions persist because a large majority of infosec officers still behave like Network Police and don't communicate effectively to win hearts and minds.
To give an example; in my last head of infosecurity role some of my team decided to have an informal competition to come up with a word describing the plural of 'information security manager' - you know, like a gaggle of geese, pride of lions etc. And the winning entrant? A DELAY of security managers! Well that was obviously the perception of the rest of the business then, and probably still is now.

The general feeling I get from talking to all kinds of security, risk and compliance people is that they now universally accept that security comes down to people rather than just technology, and therefore things like good communication, influencing, raising the profile, training and awareness are all the areas we need to focus on. Unfortunately I also believe that these are precisely the areas where we as security wonks, techies and risk-avoiders are weakest. Earlier this week I hosted a debate session at an infosecurity CISO meeting rather provocatively titled: "Information security is a failure - so fire yourself and hand the job to another function to do". The core argument being that stated above - i.e. if it's now all down to soft skills and excellent communication; are we still the right people to deliver the goods?

I not only survived the debate, but have since been contacted by a number of attendees asking me when my book comes out...
shawn merdinger Good article. I believe two specific trends are pushing against security.

1. "Hacking work" is the new black.

People are doing whatever it takes to be productive and if that means they have to skirt around restrictive security measures to get stuff done, they will. Books and blogs on this subject are popular.


2. The Consumeriztion of IT

People are expecting to use their snazzy consumer electronics in a work environment and IT security does not have the tools and policies in place to address the risks.

Bruce Schneier's blog post sums this up nicely:

"Consumerization and Corporate IT Security"


Robb Reck Thanks for taking the time to read and comment on this post. Aligning information security to the business objectives (and our overwhelming failure to do so) is probably the area I feel strongest about. It's great to see this issue being recognized and addressed by those in the field.
Allan Pratt, MBA Excellent post, Robb. There needs to be more discussion about this topic - especially since security is becoming more prevalent with today's mobile society.
Rafal Los Robb - I've been using that phrase for years, ever since I worked as a security professional for a very large, global 2-letter company... it was an eye-opening experience when someone once said to me "All you guys ever say is no, why don't you ever give alternatives?" ...then I woke up and realized why everyone hated the security team.

Sadly, the reality is that many in Information Security today still don't "get it" ...they're the department of no and their security practices are black and white - which just isn't sustainable in an enterprise world.

Great post.
Ben Keeley Completely agree with Shawn, though am shocked to see the brashness and naivety of those 'Hacking Work' people "Hacking work is the act of getting what you need to do your best by exploiting loopholes and creating workarounds. It is taking the usual ways of doing things and bypassing them to produce improved results, for the company as well as for yourself". Security teams should suggest alternatives if a suggestion is problematic, but the employees of a company should respect Security professionals are there to aid the business not cause it to fail.
Rafal Los People are like water ...water always finds the path of least resistance. People are the same way ...so the only alternative we have as security professionals is to offer the average user, coder or manager a way that is SECURE by DEFAULT, and is also coincidentally the easiest way to get the job done.

Otherwise ...boys and girls, we're just spitting into the wind.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.