The coming days will bring a special atmosphere. Christmas and the New Year days are a good occasion to relax and… to take good resolutions! For people involved in information security, a good one could be to adopt the “zen attitude” and try to establish more diplomatic relations with the business.
I just finished a security audit. Apart small security issues and some procedures to be improved, no major threats. The teams know their environment and how to manage it. The biggest concern was the relation between the “business” and the “security”. In the report conclusions, one of my recommendations was to invite both parties around a table and … discuss!
A classic scenario: the “business” wants to access a specific resource or to deploy a new “free-killer-application”, despites any security consideration. For the majority of us, the first reflex is a negative reaction (from the business point of view). We know what could be the consequences of such changes at security level. But the business does not care! And we can’t blame them for this…
Information security is a fascinating topic, constantly renewing! And we, infosec professionals, like this. Unfortunately, a lot of us (include myself honestly!) lack of contacts with the reality business. Don’t forget that the assets we are protecting do not belong to us. They are maintained by the IT and used by the business for the business. We can’t stop the business. Does it mean that we can accept all requests? Certainly not.
Back to the example above, it sounds logical that people require more access to assets or new tools. And it’s also our job to warn about the potential security issues… How to successfully deliver your message? Here are some tips:
- First, stay zen, breathe deeply and avoid any non pondered answer.
- Infosec guys are seen as “geeks” with their own vocabulary. They speak “bits & bytes”, “TCP/IP”, “CVE” or “buffer overflow”. Adapt your language to the people standing on front of you.
- Translate the “security” risks into “business” risks. How they can affect the organization: loss of profit, loss of credibility, etc.
- Do not discuss about hot topics next to the coffee machine. Reserve a meeting room and prepare your arguments.
- Don’t close the discussion, propose alternatives, be constructive!
- Propose to perform a risk assessment. Explain the risks, impacts, how to avoid or reduce them. If a risk must be accepted, at least it’s know by all parties.
- Finally, if the situation seems blocked, ask to the top management to take part in the conversation.
As you see, a good communication is the key to success! This was my reflexion just before Christmas! Comments are welcome! Merry Christmas to you all and your families!