This dynamic is so common within organisations that we’re apt to believe it is a permanent fixture. I’m not here to advocate for roses and chocolates. But I do recommend we reflect on the systems that cause division, because it is then that we can realise and act on them to make improvements.
The relationship between IT, security, and ‘the business’ would have a social media status set to “it’s complicated.” It’s a love triangle. Typically, what we find is that the business often views security with contempt. The IT-business relationship has evolved with mutual interest, which is something that has actually elevated IT into the C-Suite and corporate strategy. The business-security relationship remains on the rocks. And the business looks to the IT corner of the triangle for fuel, while viewing security as a speed bump. While this might not always be the scenario for every business-IT-security relationship, it’s a mindset that many organisations are actively trying to change.
Tension in the triangle
Let’s examine the systematic forces behind, and sources of friction within, the IT-security-business three-sided artefact.
- Business problems become technical problems: Historically, as our computational muscle was handed off to machines, organisations became more agile, responsive, and fluid. A ‘corporate asset’ transformed from equipment or physical stuff—trucks, pallets, warehouses, etc.—to digital enablers like laptops, desktops, and mobile devices. With this surge in digitalisation, businesses saw their needs (and problems) shift too. Commerce became a technology business.
- Security acts as the suitor: During the 1990s, we all realised how digital risks were a new frontier (opens in new tab); eschewing even the possibility of in-house expertise. The business needed a gallant security suitor in order to restore what had been broken by digital threats.
- Codependency creates stress: The premise on which security is based didn’t satisfy the business forever. The breakup went something like, “It was fun ‘back then’, but now, I want to have some freedom, go out and find interesting things, and not be held back by your hyper-vigilant paranoia.” Security saw how doing the right thing to protect the business was now perceived as smothering. Fending off the challenges from business and IT, this group snagged the most time-honoured tactic known to security professionals: block. Meanwhile, the business eyed another partner (IT). Now, most of us take our seats within organisations that demand IT change its mandate from being a shared support service to one with a primary purpose to enable growth and business performance.
IT: Enabler or threat?
While doing its best at arbitration, IT has two friends to mollify. On the one hand, IT is just about the closest thing to a magic wand the business could hope for. IT creates new products, new services, deploys systems, and puts revenue growth on rails. But, IT must also provide all these services with an eye to securing the business from the inherent risks of a complex world.
What do you do when there’s a mandate to enable growth and reduce risk? You buy things. A lot of things. IT budgets have soared to gravity-defying heights with Gartner predicting that global IT spend will increase to $3.8 trillion in 2019 (opens in new tab) alone, and there are no signs of slowing down. When you take a closer look at the numbers, you can see that more than 1-out-of-every-5 dollars (opens in new tab) (21 per cent) is dedicated to security products. But, shouldn’t there be an omega-point? A destination, out there, where IT can provide the right level of service and secure data, devices, users, and apps?
Unfortunately, there doesn’t appear to be a ceiling in our upward gaze. IT complexity continues to expand, mutating the attack surface into its now unrecognisable landscape, and tensions between everyone have reached a boil.
Three tips for trouples
In the spirit of achieving better, more integrated business, IT, and security teams, here are three tips for trouples (aka groups of three) looking to improve their relationships.
- Recognise the differences. There is strength in coordinated dissimilarity. Every organisation is filled with smart, capable, and innovative individuals all pursuing goals to achieve the best outcome. Although some may interpret revenue growth, security, risks, or clever phishing scams differently, it doesn’t mean that contrary interpretations are the designs of hatched plots. On the contrary, the ethos of highly specialised work environments creates the lens to identify our strengths and responsibilities without judgment or power-grabs. Identify your part, what makes you tick, which objectives you’re striving to achieve, and watch as your differences become re-characterised as tailored instruments in the big machine.
- Tell the truth. Trust is built on honesty. After all, if you can’t trust a source, it becomes hard to show confidence in the differences (above) or the means of reducing tensions (below). Honesty comes in the form of expressing your own interpretations, biases, tendencies, inclinations, and conclusions. Say what you mean. Mean what you say. Empathize with how the facts could be interpreted. By fostering a safe environment where truth, honesty, and resolve are in your business, IT, and security fabric, you open a window to recognise differences and gradually reduce tension.
- Compromise and reciprocate. While we are not building backyard fallout shelters nor running duck-and-cover drills, we see a similar mindset with these relationship: “Any day now, this thing is gonna blow! I better stand my ground.” This zero-sum thinking keeps us from liberating our business, IT, and security relations; assuming that in order for another side to ‘win’ another group must ‘lose’. Rather than thinking one side must always win, compromise and reciprocity is required of every professional relationship.
To restore a healthy relationship in the business-IT-security love triangle, we need to acknowledge what got us here, recognise our differences, commit to rigorous honesty, and seize opportunities to compromise. There’s a bright future ahead, and it’s made possible when teams come together, share information, and chart a course that unmasks the positive-sum game we’ve been playing all along.
Josh Mayfield, Director of Security Strategy, Absolute (opens in new tab)
Image Credit: Monkey Business Images / Shutterstock