The True Role of an Information Security Professional

06 February 2012
  • Print

Doing business comes down to one simple question.  How much money are you willing to lose in an attempt to make even more money?  In other words…how much risk can you stomach?  A good information security professional must understand this principle.  They must also be willing to exercise flexibility in their personal opinions and help business leaders understand risk.

An information security professional must understand their role in the organization.  If they understand it and operate within it, they can be a very useful resource.  If they don’t, they become a huge liability.  Security pros must understand that business decisions must be made by business leaders.  Our role is to help business leaders understand risk and learn how to mitigate it.  Their job is not to make the ultimate decision.  That’s the role of a business leader and one I’ll talk more about in another post.

If you are a security professional, you can let down your leaders in several ways.  The first is to attempt to make business decisions.  Saying “no” because something is too risky isn’t your job.  You should identify the risk, communicate the risk so executives can understand it and then provide options for accomplishing the task with less risk.  Let the executives make the call.  This way you are an enabler and not a road block.

A second pitfall is to pick the wrong battles.  Certainly there are times you’ll want to fall on the sword.  But is blocking all personal internet use one of those battles?  I’ve seen it happen.  When you are seen as inflexible and unwilling to compromise you lose the trust and respect of leaders around you.  You’ll then have to fight for every decision.  When leaders see that you are willing to negotiate, you battles sometimes become easier because they know if you’re fighting hard for something it must be important.  If there is a high level of trust, they may defer to your position simply on that trust factor.

A third pitfall is complacency and ineffectiveness.  Every security professional comes to a point in their career when their decisions are no longer seen in the same light.  For whatever reason, their effectiveness in the organization has diminished to a point where they are no longer making a difference.  Sometimes this is because of the individual, sometimes a management change and sometimes it’s just the company is growing and maturing which causes a culture change.  The important thing to do is to find out the reason for the change and try to correct it.  Simply going through the motions of security hurts everyone.

Ultimately it comes down to this.  Are you still able to recognize and communicate risk?  Are you able to provide solutions which protect the company but still allow it to function and grow?  This is your job.  If the answer is yes…then carry on.  If the answer is no then you need to dig deeper.  What changed?  Why?  Can I fix the issue?  Can I reestablish mutual trust and be effective again?  Tough questions but better than sitting on the bench.

Next up…Are you an executive worried about information security and privacy?  Has anyone ever told you your role in this process?  Are you burning through security people like a hot knife to butter?  Does security always seem to be a road block?  You’re in luck.  I’ve got some answers.