Originally Published - 12/6/15
In the same way that there are typically 3 points of view on any issue, 'for", "against" and "unsure", in any organization I would suggest that there are 3 perspectives on risk.
Those whose job it is to manage or reduce risk.
Legal
Finance
Information Security
Those who don't really know any better - what I call the "Unbeknownst Risk Takers"
End Users
Partners
Vendors
Finally there are those who are knowingly taking risks, and are compensated to do so.
R&D
Product Development
Business Development
In a functional environment there should be a “Healthy Tension” between the Risk Managers and the Risk Takers accompanied by appropriate management of those in the middle.
Knowing this - what should a leader of a security organization be working on ? My recommendation is to Create and Manage this Healthy Tension – but how ?
First job of any leader, including those in security, is to understand the goals of the organization and I would suggest that it's more than knowing the Mission Statement or stated goals, to really get it you must follow the money. Which parts of the organization make the money, and who's spending it ?
For example, do you work in an organization that has business units that sell products, run their own profit and loss accounts, have a large degree of autonomy and fund corporate activities through a "tax" (% of revenue ?) ? Or an organization that's funded centrally like a charity or government agency ? These examples will require different approaches from a Security leader.
In my experience, successful Security Leaders should establish a proactive approach to managing risk.
Don’t employ a reactive risk minimization approach
No blind enforcement of the status quo
Work to not be perceived as a business “killer”
You should lead from the top, show your team the appropriate approach!
Be an enabler “yes, and “ vs “no we can’t”
Don’t be afraid to show that there is a cost to enabling risk – DON’T give away the farm, build a business case to show how business goals can be met with appropriate risk.
Work with the risk takers to incorporate your cost analysis into their projections EARLY in the process
I'm sure we can all think of examples of the laws of unintended consequences, and that is especially true in the world of Information Security. As a leader you should look at the alignment of incentives across the company and see if those are running contrary to the stated level of risk that the organization is willing & able to tolerate.
Goal of Organization vs Goals of Security Team - are the incentives of the Security team in alignment or do they run contrary to the organization goals ?
Think about and understand the alignment of incentives for Security vs Ops vs Sales vs Product Development, those risk mangers vs risk takers.
Does the entire security team understand what the company does and where the real value is ?
I've mentioned the "Incented "Risk Takers" a few times now - as you read this, do you know who are the designated “Risk Takers” in your organization ?
If not, find them !!!
Talk to them, at all levels, not just your peers, your team should find their peers in those organizations.
Understand their goals, and identify how to enable the risk takers.
Typically I would recommend that to enable the risk takers, you and your team should “Walk a mile in their shoes”. As a Security Leader take the time to emulate the interactions of your employees, your customers and your vendors.
How do they actually interact with the security controls that YOU responsible for ?
Do they circumvent controls to align with the way they are incented (“Get their jobs done”) ?
Success as an Information Security leader requires understanding incentives, looking for unintended consequences and proactively identifying and enabling risk takers by identifying and communicating appropriate costs.
More to come !!