The problem with IT security professionals is they spend too much time stopping business people from trying new things, including cloud services, out of worries about risk when they should really be working directly with business managers to help them innovate by means of security.
That was the main point made today by ADP’s senior director, converged security architecture, V. Jay LaRosa, during his keynote at the Cloud Security Alliance Congress, where he sought to convince the security professionals in the audience that they need to become better allies with business managers. “As security practitioners here, the problem is not with the cloud but with us, with our ability to evolve,” said LaRosa, adding IT security managers are often seen as barriers to innovation.
IT security managers are fascinated with technology, worry a great deal about risks and are often the last to know about some IT projects, especially those involving cloud-based services, because business people tend to want to avoid the IT security department as much as they can, LaRosa suggested. Security ends up being this last “checkbox” on their list, which isn’t good.
Being a savvy technologist is great in and of itself, but talking tech to business people usually backfires because they don’t want to hear “geekspeak,” they want to find out how to try new things to grow the business, LaRosa said. And IT security people need to change their attitudes and go out and get involved with them to do that.
LaRosa noted the reality is that IT security people are often viewed with disdain in the company, where they’re even regarded as “jerks” who wander around doing little but putting anti-virus software on people’s desktops.
“We’re seen as innovation killers, always saying no,” said LaRosa in his heartfelt keynote speech to the CSA audience. The goal for the IT security pro, however, should be to “never say no” because IT security should be involved in major projects from the start and able to determine the risks and compensating controls, including with cloud services.
He acknowledged there’s still plenty for technologists and vendors to figure out in cloud security, but that’s no reason to not forge ahead by starting to build strong ties with business managers to know what they’re planning and be part of it.
“Listen to them. Learn what’s important,” and when talking with them, “always tie it to something important to them,” LaRosa admonished. The danger is that IT security managers can find themselves increasingly irrelevant and the problem of “shadow IT,” in which business people go behind the backs of IT to turn on the cloud services they want without their approval, will only grow.