Making enemies, but needing allies

Computerworld - My name is mud within IT right now.

Our fledgling security organization is starting to run into some significant relationship challenges. As we're beginning to build our information security program from scratch, we're causing some friction.

In my company, information security is part of the IT department, but like several other IT disciplines, it reports directly to the CIO. As a result, the infosec and IT support teams are peers, a relationship as uneasy as that of siblings. Over the past couple of weeks, tensions between our teams have been rising sharply. In fact, we could be looking at full-scale interdepartmental warfare. How did this come to this pass?

As we try to bring security to an acceptable level, we are introducing new policies and standards that are being met with hostility by the IT support teams. They will have to perform some of the remediation we have identified, such as patching and updating devices, cleaning up firewall rules and implementing redundant systems. So, basically we are telling them what to do -- which they interpret as telling them how to do their jobs. And they don't like that.

This company does not tolerate change well, and the reaction has been less than mature. In fact, the company displays the lowest level of organizational and personal maturity that I have ever seen, and this attitude is apparent in our dealings with the rest of the IT organization. Reactions have ranged from pushback in response to the demands we have placed on the server teams to finger-pointing and name-calling.

When you apply ISO 27001 criteria to this company's security processes, the shortcomings are clear. Most of the processes are ad hoc and chaotic, depend on heroics, and rely on key people with specific knowledge and unique skill sets. What I want to do is to introduce a higher level of organizational maturity, with repeatable processes, common language and defined tasks. I hope one day soon to have uniform processes based on well-defined policies and solid methodologies.

But that is in the future. For now, we are trying to improve our corporate maturity by advocating a better set of practices, and that isn't going over well. And the information security team is the only group attempting to do this. Not Winning Allies

The result so far has been ugly. All of the IT departments are complaining that infosec is asking too much. They are complaining loudly and with varying levels of tact (none of which are very tactful at all). While upper management remains confident that my group is doing the right thing, our stock among our peers is sharply declining, and they don't want to deal with us.