July 16, 2014 by
Security to Serve, not to Subjugate
This was originally posted on blogger here.
A reoccurring theme in information security (and many other disciplines which cut across verticals) is "I could solve the problem if I could just get everyone to follow a few, simple rules". We know, and they may even agree, that the simple rules are good practices that should be done. However, the rules are rarely followed. When they are followed, any adversity causes them to fall by the wayside, and no-one is particularly happy to follow the rules.The fact is, even though we are benevolent rulers with a light burden, we are still acting as authorities over other groups in our organization. Authority is rare appreciated, regardless of the burden. If we want to truly get the support of our organization, we need to serve them, not rule over them. But how do we provide security through service?
A Model for Service
With a little adaptation, the Center of Excellence (CoE) model can be adapted to provide cross-vertical competencies through service to the organization. Our CoE will have three goals (services it provides):
- Evaluate Quality - The CoE will provide a repeatable approach to evaluating how well other groups in the organization are doing at infosec.
- Lessons Learned Sharing - The CoE will collect lessons learned about infosec from groups across the organization and distribute them to the rest of the groups.
- Support Execution: The CoE will support the execution of infosec in three ways based on how the supported group wants to be supported.
- If the group knows how to do infosec, leave them alone. Let them do their thing.
- If the group wants to know how to do infosec, teach them how to do it well.
- If group doesn't want to deal with infosec, offer to do it for them. Obviously they will still need to provide the resources, authority, etc, necessary for you the CoE to provide this service.
It is important that the CoE not see themselves as specialists proselytizing to the unwashed heathens. The CoE serves others; it doesn't rule them and it isn't better than them. To that end, the CoE should strive to provide the services when requested, only providing them unsolicited when absolutely necessary. Also, the CoE need only charge for bullet 3.3. The CoE should be internally funded to provide the other services.
One way to start developing this CoE is for the group to begin solving problems that are likely to arise before the CoE is engaged. If you look forward and help develop solutions before the problems arise, when groups come to you with questions, you will be able to serve them by solving their problems. This will bring them back to you and help you establish your CoE of infosec service. And by all means, don't be shy about your successes. Make sure others know you are serving the organization and solving other's problems. Soon they will be coming to you for infosec help and you can use the opportunity to establish the CoE.
P.S.
The approach doesn't just work for information security. It can work for any service: Data Analytics, Quality Assurance, etc. By applying this approach, the requirements will not be burdens, but services.