In many businesses, the security team is seen as a wet blanket, often swooping in at the last minute to put the kibosh on a project deemed too risky. But some veteran security pros believe there is an approach to security that can actually make businesses more innovative.
They’ve got some work to do. Businesses believe that technology security is the single biggest inhibitor to innovation, according to research company IDC. Of the businesses IDC surveyed, 80% said they have stopped a project because of security risks, with many businesses saying they do so frequently. Not surprisingly, as many businesses have a negative view of their security groups as a positive one.
But security pros say businesses are thinking about security the wrong way. “People think you put brakes on a car in order to stop fast,” Andreas Wuchner, head of information-technology risk management, security and compliance for Novartis, tells the Business Technology Blog. “We put the brakes on to allow you to drive fast, so you can do all those things you can’t do if you don’t have brakes.”
The best way for businesses to drive fast, security pros say, is to think about security early in the process. Most businesses have a fairly rigorous process for screening new ideas, including demonstrating an expected return on the investment. At the same time that a team is calculating the benefits of a new e-commerce Web site, for example, it should take into account the potential risks - what kind of data the site will collect, where these data will be stored, and so forth.
Accounting for the risks upfront gives people a chance to mitigate them before they become a problem, Dave Kent, vice president of security at Genzyme, tells us. For example, Genzyme found security flaws in the systems used by a travel-services company it was hoping to hire that could have led to employees’ passport data being exposed. Rather than backing out of a signed deal, Genzyme just moved on to a new provider.
One doesn’t need to be a security professional to think about risk. Kent says everyone should take into account whether the information a project uses is sensitive, where this information will be stored, and how many people will have access to the information. If answers raise red flags, he says, consult the security team.
And the wet-blanket complaint? Kent says there are two ways security pros can stay on the same page as everyone else: make it clear that they understand the benefits of the project; and try to explain the risks in language that everyone else will understand. Then people might even thank you for canceling a project.
The approach may work: The rate of frequently stopped projects is about twice as high at businesses that say they have a positive view of security’s impact on innovation than at ones that think of security negatively, according to the IDC study.