News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Michael R. Farnum's picture
Michael R. Farnum

Hitting the Security Nerve

More posts | Read bio

May 31, 2007 - 9:14 A.M.

Security and IT managers need to understand the business

3 comments

When it comes to security and IT in general, does the exec need to change, or do we? That is a question that Pete Lindstrom answers here, and though I have had my differences of opinion with Mr. Lindstrom, I think he is dead on this time.

Mr. Lindstrom's post is directed at Marcus Ranum's latest podcast, which I have not heard, so I cannot directly comment on his criticism. However, I can say that Pete makes a great point when he says, "We don't try hard enough to understand business problems." I can't say it surprises me when IT people gripe about management. There have been enough times when I was guilty of that. And there have been times when the griping was justified because the exec made completely bone-headed decisions that left my network wide open to attack (like the whole "security figurehead" issue I keep bringing up). But at the same time, exec's have a pool of money to spend, and they have to make decisions on where to spend that money. Unfortunately, IT is not the only place where it has to be spent. Do average spending percentages need to be increased in most companies? Probably. But ranting and raving at an executive or your buddies about it is not going to get anything done. If we are going to make any progress at all, we have to understand the business implications, and we have to work within those strictures. Better to have something done by working with the exec rather than nothing at all getting done because all we did was moan about our plight.

I found a perfect example of this yesterday. I was in a meeting with a potential client yesterday, and he mentioned that he was in the midst of an SAP implementation (I know... ouch). The comment that he made was that the SAP project committee was not chaired by IT. They thought that it would be a better idea to have a business unit manager head it up, since this was primarily a business application. I congratulated him on his right-thinking and maturity in making that decision. He is the IT director, yet he knew that a business does not exist to create a job for IT folks and have them look down on everyone because they know the company would crash around their ears if they decided to not do their jobs. IT should be in place to help the business run. IT is a business enabler.

Security as well should not hamper business. Security is there to protect without hindering. That is a fine line, and it is sometimes very frustrating. But the job of a security manager is to make management understand that there are risks, what those risks are, and how those risks can be mitigated. Basically, the security manager's job is to give choices, enable those choices, and live with the choices that are made. That is maturity.

What People Are Saying

Add new comment

Security

Submitted by Home Security Systems on February 6, 2009 - 2:41 A.M.

It's challenging for someone to understand business systems. And it's useful to be able to understand it.

Reply | Report this comment

Excellent points. It occurs

Submitted by Craig Herberg on May 31, 2007 - 5:46 P.M.

Excellent points. It occurs to me that, in order to achieve the maturity Michael discusses above, one may need to undergo a mindset transformation from the old-school supplier -- "What do I want to provide to THEM?" -- to new-school consumer -- "What do we need as an enterprise, and how do we help accomplish these goals?" At this point, helping the business mission becomes do-able, though not necessarily simple. There is always room for constructive disagreement, but never room for US v. THEM.

Craig Herberg

Reply | Report this comment

Very nice and well put. IT

Submitted by Cutaway on May 31, 2007 - 5:02 P.M.

Very nice and well put. IT and IT security are facilitators of the business process. I think one thing that would help in this process is if the security practitioners start taking a hard look at how the countermeasures they select can also provide value to the everyday IT administration. Configuration management, network behavior analysis, and other areas of security can have a direct and immediate impact on both security and administration. By doing this the solutions are actually cheaper and provide more value to the organization. These benefits will eventually find their way though the rest of the business and provide a positive impact on multiple levels.

Go forth and do good things,
Cutaway

Reply | Report this comment

Related Posts

Employee responsibility at conferences
Quitter! White House cyber-security czar Melissa Hathaway goes buh-bye
Six of the best: June's IT Blogwatch
How many of you do background checks on your IT employees?

Today's Top Stories

Droid launch draws tech-savvy crowd
AMD graphics chip shortage hits PC vendors
Intel readies 2.3GHz, 3.5GHz WiMax support with Kilmer Peak
First iPhone worm spreads Rick Astley wallpaper
Mozilla fixes Firefox crash bug
Update fixes iPhone sync problem with Windows 7 for some
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.