When IT and Security leaders don’t see eye to eye
Helplessly standing by, I watched as the new CIO dismantled a carefully crafted NIST-compliant security program. Why would he do such a thing? Unplugging the intrusion detection? Tossing out the threat and vulnerability monitoring? Cancelling the risk management meetings and burying the recent risk assessment? He is nailing the coffin shut not only on the security program, but the company, too. How will it ever comply with customer requirements again? How will it pass the next audit?
I wasn’t dreaming. This was happening before my eyes.
Years earlier I had learned a lesson that I must have forgotten. The lesson, a hazy memory, was that I should always strive to see things from another person’s point of view. Doing that, I vaguely recalled, would change my own perspective and give me understanding–creating peace in place of conflict.
What was this executive’s point of view that, as the security consultant, escaped my understanding?
Over the years I had given conference presentations frequently promoting ideas such as “The customer is always right, even when he’s wrong,” and “There is a natural conflict of interest between IT and Security, since IT wants throughput and uptime, while security wants to inhibit and restrict.”
These made for good soundbites, but later, as a consultant, I actually had to guide my clients through the politics and economics of IT and Security.
In real life, the customer really is always right. By that I mean security is not absolute. It is always relative to the risk tolerance of the customer. If the CIO wants to unplug the intrusion detection and throw away the risk register, that’s because he has higher priorities. Simple as that.
I used to think my job was to point out the folly of such things. Now I know better.
Now, when the CIO starts whirling around and wreaking havoc like the Tasmanian devil cartoon character, I pour a cup of green tea and wait. What’s actually happening when security comes undone is that the company is seeking equilibrium. By gut feel, the executives, such as the CIO and CFO, look for ways to balance costs and risks with value and goals. It is natural economics that manifests itself in sometimes fervent bursts of change.
“You’re always so calm,” said one young security analyst after a highly charged and change-filled meeting recently. “You’re like the security Buddha.” He explained that he was referring to my zen-like approach to intermediating between the CISO and the CIO. I chuckled and thought how much I wished the other executives would simply leave security to the professionals and mind their own business. But the words that came out of my mouth surprised even me.
Fight is not what the CIO needs. He needs security to work with him, not against, and for the security team to understand that it’s all part of a natural process, an ebb and flow of risk tolerance and intolerance. The pendulum will swing the other way one day soon and the IDS will be turned back on and a new risk assessment will be written.
That ebb and flow costs some shareholders their value, and some CISOs their jobs, but it is inevitable.
What I saw years ago as meddling, I now see as the natural order of things. Let the meddling come, and pour a cup of tea.