Taking the No Out of Innovation
“The solution to mitigating the risk is not to stop sharing and collaboration, which is essential to a productive workplace. Rather it is putting solutions in place that will keep these documents secure without requiring draconian end-user security measures that will stifle productivity.”1
Sounds great, but the question is how?
I wrote in a previous blog that no one, including IT security, likes like to say “no” by pointing out security problems in a business initiative that has already involved considerable effort and generated momentum. My point was that looping in IT security as early as possible allows them to contribute to a discussion toward achieving the common goal: finding a better way of getting the right information to the right people (and only the right people) at the right time.
But this does require IT to step out of its traditional role of support and to be proactive about initiating that dialog, to reach out to Line of Business innovators. It may feel counter-intuitive, but success requires IT security to encourage reorganizing processes around enabling innovation and creating business value.
It is true many enterprises already include IT security as part of the teams that review current document and information processes. But I am advocating that IT security should collaborate with innovative domain experts or departmental managers as early as possible.
This subtle change shifts IT security’s focus, and importantly, perception by others, from gate-keeping to helping teams predict risks, estimating risk-reduction costs, and jointly finding productive and secure solutions.
The business benefits include:
- improved process and product security “out of the gate” as a result of raised risk awareness and early engagement;
- faster innovation as security (or compliance) does not become a headache late in the process;
- stronger cross-functional collaboration and communication;
- better risk management capabilities fostered within the IT security team;
- and stronger overall organizational security awareness and posture.
Success does take time. And as I stated above, this does require new skills on the part of IT security. For example, the ability to communicate with non-security practitioners; and a better understanding of the business drivers and the way others think in different functional areas.
But there are early indicators of progress. As CISO of Ricoh I am now being asked to present at channel venues and to customers how current security trends influence demand for our products and services – and how we as a company are adapting. Most significantly, internally, I now have Product Teams actively looking to exceed IT security’s control standards in an effort to add product value and better differentiation.
In my opinion, this represents a real opportunity for IT security, and the business as a whole.
1 Ponemon, 2012.