The True Role of an Information Security Professional
- Written by: Dave Nelson
Information security professionals must understand their role in helping business leaders balance the risk vs. reward equation when evaluating cybersecurity efforts. They must also be willing to exercise flexibility in their personal opinions and help business leaders understand IT risk management. Doing business comes down to one simple question. How much money are you willing to lose in an attempt to make even more money? In other words…how much risk can you stomach? Doing business in the digital world today involves more risk than ever before. Cyberattacks are simply a cost of doing business.
Information security professionals are responsible for helping business leaders understand cybersecurity risk and how to properly mitigate it. When this occurs, they can be a very useful resource. But, if they do not understand that responsibility, they become a liability to the organization they are trying to help. Security professionals must understand that business decisions must be made by business leaders.
Assisting with Business Decisions
If you are an information security professional, you can let down your leaders in several ways. The first is to attempt to make business decisions. Saying “no” because something is too risky isn’t your job. You should identify the risk, communicate the risk so executives can understand it, and then provide options for accomplishing the task with less risk. Let the executives make the call. This way you are seen as an enabler of the business and not a road block to progress or change.
Flexibility and Compromise
A second pitfall is to pick the wrong battles. If you are seen as inflexible and unwilling to compromise, you lose the trust and respect of leaders around you. If, however, you display a willingness to negotiate and compromise on a regular basis, the times when you do push back and fight hard for something, your opinions will be respected. If there is a high level of trust, they may even defer to your position simply on that trust factor.
Staying Engaged
A third pitfall is complacency and ineffectiveness. Every security professional comes to a point in their career when their effectiveness seems to be dwindling. For whatever reason, their effectiveness in the organization has diminished to a point where they are no longer making a difference. Sometimes this is because of the individual, sometimes a management change, and sometimes the company’s culture is changing do to growth and maturity. The important thing to do is to find out the reason for the change and try to correct it. Simply going through the motions of security will result in critical failures.
Communicating with Management
Ultimately it comes down to this. Are you still able to recognize and communicate cybersecurity risks in a way that management understands and is able to act on? Are you able to provide solutions that protect the company while allowing it to function and grow? If the answer is “Yes”…then carry on. If the answer is “No”, then you need to dig deeper. What changed? Why? Can you fix the issue? Can you reestablish mutual trust and be effective again?
Information security isn’t about being in control. It’s about helping business leaders make wise decisions based on their knowledge of the business environment and market forces. Information security professionals who understand this and provide value to their business leadership are worth their weight in gold.