Further to yesterday's ISO27k Forum thread and blog piece, I've been contemplating the idea of extending the security awareness program into an "outreach" initiative for Information Security, or at least viewing it in that way. I have in mind a planned, systematic, proactive approach not just to spread the information risk and security gospel, but to forge stronger more productive working relationships throughout the organization, perhaps even beyond.
Virtually every interaction between anyone from Information Security and The Business is a relationship-enhancing opportunity, a chance to inform, communicate/exchange information in both directions, assist, guide, and generally build the credibility and information Security's brand. Doing so has the potential to:
- Drive or enhance the corporate security culture through Information Security becoming increasingly respected, trusted, approachable, consulted, informed and most of all used, rather than being ignored, feared and shunned (the "No Department");
- Improve understanding on all sides, such as identifying business initiatives, issues, concerns and demands for Information Security involvement, at an early enough stage to be able to specify, plan, resource and deliver the work at a sensible pace rather than at the last possible moment with next to no available resources; also knowing when to back-off, leaving the business to its own devices if there are other more pressing demands, including situations where accepting information risks is necessary or appropriate for various business reasons;
- Encourage and facilitate collaboration, cooperation and alignment around common goals;
- Improve the productivity and effectiveness of Information Security by being more customer-oriented - always a concern with ivory-tower expert functions staffed by professionals who think they (OK, we!) know best;
- Improve the management and treatment of information risks as a whole through better information security, supporting key business objectives such as being able to exploit business opportunities that would otherwise be too risky, while complying with applicable laws and regulations.
Aside from the opportunity, there's also a relationship-harming risk too, if (when!) we get those interactions wrong - an information risk that can be treated in the conventional manner:
- We can't totally avoid the risk, short of becoming isolated hermits which would render Information Security pointless and worthless;
- However, we could emphasize productive interactions and try to cut down on unproductive ones maybe - a form of risk mitigation. We could also be more proactive in this area, for example making sure that Information Security people have the skills and aptitude for forming and maintaining productive relationships with the rest of the business, and the good sense to recognize and respond when things are not going well. Measuring the strength of its business relationships with various other functions or business units would help Information Security improve them systematically where appropriate, implying the value of relationship metrics;
- We could share the risk by collaborating with other risk and assurance functions when interacting, especially the ones that have strong relationships throughout the business. We can learn from and support them, and vice versa. We might also share the risk with the general business by persuading general management that strong internal relationships to specialist functions are valuable assets, worth investing in (e.g. if you are thinking about employing security consultants or taking advice from vendors on security matters, come to us first: we may well be able to assist directly, or broker your supplier relationships).
- We are forced to accept any remaining untreated information risk, like it or not ... but that's not the end of the story. In the event of relationship issues, we could put in place arrangements to deal with them as effectively and efficiently as possible - such as having escalation routes to management, perhaps even incident management or contingency plans in this area. The metrics I mentioned should give us early warning of impending problems, avoiding nasty surprises.
All in all, I see a lot of upside potential, and the downsides can be managed. This idea looks like a winner to me. What do you think?