Walk The Line
While CXOs and IT pros agree that security is a priority, a palpable tension still exists among business units and infosec teams. These teams are tasked with protecting customer information and corporate brands, but they also must balance the demands of the business.
"Our company is very risk-accepting," says the senior security analyst at a national retail chain. "If a mission-critical business app will benefit the bottom line but there are security concerns, we aren't going to hold up anything from going into production." Instead, his security team is expected to secure applications after they're deployed. This approach is akin to building a house with a poor foundation and hoping to brace it up later.
In contrast, McNabb says that Vanguard Group gets the security team involved with new applications from the very beginning. "You are dealing with people's identities and money," he says. "You can't go out there and see what works, and then iterate. It has to be bombproof from the get-go."
At the same time, McNabb says, security teams must make a rigorous argument when it comes to risk versus profit. "It's incumbent on the security team to walk through exactly what they don't like about a new app, where the risks are, and what can be done to mitigate them," he says. Once the security team makes its case, the business must make the call on whether those risks are worth taking.
These tensions are apparent in the survey. We asked IT and other business executives if they agree with the following statement: "Our organization properly balances information security and information access." On a scale of 1 to 5, where 5 is "completely agree," business executives were slightly more in agreement, with an average response of 3.7, compared with IT's 3.5.
Our survey responses show that, for the most part, infosec teams are striking a balance between security and access, although a still-common complaint is that they get in the way of commercial opportunities.
"I would be naive to say that people don't regard security as an inhibitor," concurs Craig Shumard, chief information security officer at Cigna, a global health services company. "You have to be able to explain why security is needed, what the risks are."
Of course, security groups share some of the blame for that perception. The CIO of a large county agency says infosec pros do a terrible job of understanding the business impact of their security recommendations. "I don't have the business pushing back on me as I implement security approaches--I push back on the security folks," the CIO says.
It's critical for organizations to ensure that the inconvenience on users is commensurate with the reduction of risk. "And often security people don't get that, or don't know how to do it." the CIO says.
The e-business infrastructure manager at a global bank says that if a new vulnerability is detected or malware breaks out, the security group's first inclination is to shut down all banking servers in North America. "We may say, 'Hold on, can we stagger this and do it in a more organized manner?' We understand their need to avoid issues," the manager says, "but they have to understand our need to maintain availability."