“The House of No” was a humorous term I heard used  to describe the general consensus of Joe User Public when referencing their Information Security Department.  Not exactly a flattering term but one Cybersecurity Practitioners should consider potent and worth considering as they go about doing the business that is protecting their respective organizations and clients.

While “The House of No” stands at one end of the spectrum, the other end is occupied by the Sun Tzu promoter of agile business.  A practitioner focused on addressing and applying just enough protection as to address the major compliance and regulatory requirements at hand while giving our business people the ability to do their jobs effectively and secure.  It’s a balancing act that requires effort and dedication on the practitioners part and a real desire to effect change and growth as a thought leader rather than behaving like “law enforcement.”

Creativity is not a cornered market of musicians and painters. Cybersecurity architects must utilize the same kind of thinking when approaching a problem and issue needing resolution and applying the right amount of security.

•  Exceptions – This is a vital area in addressing that shift in thought process for the residents of “The House of No.” There are always exception to the rule. Establishing acceptable risk levels the organization is willing to consider and choosing wisely, areas where it makes the most sense to make exceptions, following documented process for doing so and gaining approvals at appropriate levels within the business. When the exception becomes the norm, it’s no longer an exception. It’s a broken business process.
• Chicken or the Egg – So which comes first, the business requirements or the security requirements? This should be a no brainer but “The House of No” struggles with this mindset blinded with the pursuit of protection first and foremost. Whether the organizations primary business is selling potato chips or processors, their “business” is revenue generation. Our every move as practitioners and solution designers should begin with, not end with enabling the business to conduct its activities as fluid as possible.
• The Messenger – Shakespeare in Henry IV, part 2 said it best, “Don’t shoot the messenger.” As practitioners our message should always seek the collaborative air of a business enabler not a stumbling block to the pursuits of our peers and clients in winning business and addressing our current customers. Security is ever important in our eternally increasing digital world.
• The Scale of Risk and Priorities – The practice of risk assessment and measurement is a business effort, not secluded to any one department by any stretch. As a business, identify risk, develop assessment criteria, assess risk, assess risk interactions, prioritize risk and respond accordingly.  Just as much as we want to convey and practice an enablers mindset with our peers, we require their support and collaboration in the pursuit of business security and risk management.

Enable the business with creative and thoughtful security.