When Security Policies Collide With Business Realities

Posted on by Christopher Burgess

Horror stories abound about the wayward employee who ignored the established information security policies in an effort to get the job done. The employee didn't mean to put the company at risk, but that's exactly what happened. In situations like this, the employee is likely caught in the switches between the information security policies of the company and the goals and expectations of his manager. So, how do we align the two camps? Communication and collaboration.

Goal Setting

The goals of the operational and sales teams are pretty straightforward: create the best possible product, sell and support the product, and do it often. The information security team has goals of equal clarity: protect the company data, the company infrastructure, and the intellectual property/trade secrets.


The goals of the two groups are not at odds with one and other—indeed, they are most complementary. Both are driving the company toward sustained success. The information security team that operated with the "we'll tell you what you can and cannot do" mindset is the team of the past. No longer can information security be construed as the "'no' police"; they now must champion the "how." Their policies are the business unit's policies, created with and for the business unit to be as successful as possible. Today's successful teams operate with a mindset of "I understand what you are trying to accomplish." And with that simple but all-so-transformative mindset, the meld can begin.

Similarly, the business teams no longer can afford to eschew engagement with the information security teams and "their" policies. The days of "their" policies are gone. The business owns the risk, and it is in their interest to evolve the most secure environment with the right set of policies and tools—policies which keep the business engagement within the lines and ensure the mutual goals of data protection and customer satisfaction are achieved.

These joint metrics are of great value in determining success. When the business unit owns the policies, it changes the complexion of the engagement. The power of self-policing, with information security as backup, is strategic.


When the conversation is about business solutions and solving business problems, the joint team can craft the appropriate training and education with stunning focus. In doing so, they raise the probability that each individual business team member will understand why the policy exists and what the repercussions of non-adherance are. And if the business team tried to work around their own information security policies and rules, they would be breaking the rules of their own team and colleagues, rather than those of a "third-party" information security team.

While adherence to the policies may be improved, perhaps most importantly the business unit leads, who have their metrics to meet and widgets to build, will have a better understanding of any potential impediments. As full-on partners with the information security team, they would have their own hands in the creation of the policies and will be better protected from the risks they would face should those policies be broken.

Christopher Burgess

, Prevendra Inc.

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs