How to Approach IT Security – Move away from the dark side!

Why do we have IT security? Is to protect information? Is it to ensure that the wrong people don’t get access? All are true, but it’s what I like to call “the dark side” of IT security. In my mind IT security needs to be much more positive. Usually the mindset I run into in an organization is that IT security is seen as a hindrance and not a valuable ally to achieve important business objectives.

Don’t see this as a quick cure for your organization. Changes take time and changing a behavior or a perception takes even longer. So what I want to present here is “a way of living” in IT security.

So how should we approach IT security?

It’s easy – Provide the right people, the right access, at the right time

What I am saying is, don’t only focus on what you need to do to keep the “bad guys” out of your system. Use your time and resources on ensuring right people, -accesses and -time. I am not suggesting that you ignore the dark side, you also need to ensure that your network is secured against hackers. But I suggest you focus on the positive areas.

What does it mean?

If you want to bring IT security to new heights, I suggest you treat it as any other part of your business. IT security needs to be relevant for your organization and it needs to add value. If it doesn’t you will never have a chance to do all the great things you want to achieving with a proactive approach to IT security.

For example if a key business objective is to enable customers easy access to a purchase through a webshop, an often forgotten key player and enabler for the strategic effort is IT security. Without proper security customers will not be able to access the system, hence the solution will never become a success.

I am not trying to convince you that IT security is the center of all activity in an organization – not at all. What I am trying to convince you is that IT security needs to be marketed and positioned correctly for it to add value in an organization.

How to practically implement this approach?

You might think:

“it sounds like a good idea, but I have no where do I start?”

…no worries, I will give you a few pointers on how to approach it.

Firstly you need to understand your organization and the current key business drivers. If mobility if a key driver in the entire organization, how do you enable this driver if you only suggest a firewall review? Not much. But if you can suggest a well-thought-out solution, that handles the key security aspects around mobility in a way that ease administration and increases usability, then you have a winning business case. So instead of focusing on the risks, focus on what can be done from a security perspective to achieve critical business goals – and keep in mind that the dark side also needs to be taken care of, but the selling point is the business enablement elements.

Secondly you need to not only look at today’s challenges, but focus on what key players are talking about in the organization. That way you can be mobilize your efforts as soon as the area becomes a key driver – basically you move away from a reactive approach to becoming a proactive player.

Thirdly you need to map the business objectives and goals into a goal hierarchy. This will visually show how IT security supports the overall business objectives. But it also shows you which solutions map to most objectives, hence the most valuable solutions. Be sure to document the goal hierarchy and make it available in your organization (both physically and virtually) – use the intranet and walls where relevant.

Finally you need to document and market the wins you have. So if the mobility solution was seen as a huge success in the organization because it was user friendly and easy to gain access to. Use that and build an internal marketing campaign around the security efforts that went into building the solution. That will over time change the perspective on IT security in your organization, to a much more positive.