I continually read posts from “Cybersecurity Experts” claiming that information security professionals should say “no” to the companies that we support. This manner of thinking is dangerous and downright wrong to me. Cybersecurity experts are technical risk managers who have the role of business enablement. If we stop the business from being successful through inappropriate security; the business fails! I always say that we can “secure” a company by inhibiting people from doing their jobs, but we can never “secure” a company by ensuring that no hacker can ever break in! There are too many factors that cannot be controlled in a cost effective and realistic manner.
When “Cybersecurity Experts” believe that their job is to say “No”, multiple things occur;
1. End users usually find a work around; this is usually to the detriment of the overall security posture. We need to foster a program where all employees are cybersecurity aware and fully engaged in protecting our customers.
2. Cybersecurity becomes too costly; if a business cannot perform their normal business processes, how does anyone stay employed?
3. Technology becomes the primary and preferred solution. This is not a cost effective way of managing risk and I usually find that these types of security programs have “Blinky Light Syndrome”! It’s a self-made phrase I started a few years back when I noticed that many companies had spent tons of money on solutions that were never actually configured to work. So called, “set it and forget it” solutions. These devices were plugged in and when the blinking power light came on, they had instant security; at least that is what they told the auditors. I could go on for hours on this topic alone, I have seen so many cases where too much money is spent on products; when they could have made process changes and been far more successful!
4. Executive management never truly gets engaged in being a part of the cybersecurity solution. Corporate life can be extremely political and Executives have to ensure that they are business enablers; they cannot be associated with “No” people.
5. The entire program becomes nothing more than a shell; an uber checkbox that enables auditors to check all of the boxes.
I teach my team to find a way to say “yes”. This does not mean that we allow all reckless activity and allow a poorly run program. Just the opposite, we take a consultative approach to cybersecurity. We meet with business owners and operational teams, try to find out what they are trying to accomplish and find a solution that enables all teams for success. I have found few places where this approach hasn’t succeeded and those few places were places where “No” would not have worked either.