On being the “Department of No”
When we discuss metaphors for an information security department, we often talk about things like a traffic cop (giving out tickets for breaking the rules), or a referee (looking for those who play dirty). The problem with those examples is that we’re portraying security as something to be avoided, whose primary contribution is punishing negative behaviors. It’s precisely this type of implementation that has led so many information security departments to be thought of as the “Department of No.”
Being known as the “Department of No” is problematic. Once a reputation is established that information security is where good ideas go to die, people will start finding ways around it. Projects will get pushed through without security being involved or without being involved early enough to make a difference. Employees will structure their projects in such a way as to narrowly avoid getting security participation. Generally, security becomes a hindrance to the company, rather than the asset it needs to be.
The metaphor that best fits what information security should be is that of a skills coach. Be it a hitting coach in baseball or an offensive line coach in football, the skills coach exists to identify areas for improvement, and come along side his charges, to build them up.
While the cop or referee is there to identify mistakes and levy a punishment for them, the coach is there to help grow the skill-sets and foster the attitudes that will result in improved performance. The skills coach works as a partner with his players and helps them grow to become better contributors to the team.
Simply put, we can best avoid the “Department of No” label by saying “Yes” more often than “No.” And we can only do that if we are actively involved in the business of our coworkers. When we get involved with their procedure-level activities we can offer practical assistance in ways to become more secure and efficient. Once we get elbow deep into the work of our coworkers, they won’t be coming to us asking if their insecure systems are okay, instead we will have already created a secure system working side by side.
We are not the head coach of our companies. That’s the job of management. But we have been brought on board to give specific advice on how to perform their jobs the right way. By involving ourselves in their work before the security questions are asked, we can spend more time teaching, and less time fixing mistakes and saying “No.”
Connect with Robb on Google+