July 22, 2011, 10:45 AM — For years businesses have talked about how important security is to their customers and to the success of their business. However, with so many breaches in so many different industries, it's tough to take organizations at their word.
For years, many security managers and chief information security officers have talked about how the "business" side of the house doesn't understand security, or take what the IT security team has to say about risk seriously.
Somewhere, clearly, there is a disconnect.
Related: Talk the walk
"The IT security profession is always looking for ways to get into the requirements and design phases of a new application or initiative," says the security manager at a large regional health care services provider. "But we're often not brought to the table until the actual initiation of the project," he says. "Unfortunately, by then, there's little we can do because the architectural standards are gospel in the requirements. Also, there's little that can be done at that stage to improve security design without increasing costs tremendously."
Our discussions with CISOs, operations team members and other IT members support the security manager's assertions: security tends to remain consistently a step behind business operations in many organizations. "Often, when we bring IT security into the system design functions, all we hear from security are roadblocks about why things can't be done securely," says the enterprise architect at a global engineering services firm. "They're often overly technical, way too early in the discussion, when talking to the business side," he says.
And there lies the all-too-common friction between business managers, IT operations, and IT security. The disconnect forces security groups to take the hapless position of having to "bolt on" security controls well after a new initiative is underway. That's a much harder and more expensive thing to do. "The earlier we are part of the discussion, the better and more secure the initiative," he says.