Making Enemies, But Needing Allies

Security issues have been ignored a long time. Change is needed, but that rubs some people the wrong way.

My name is mud within IT right now.

Our fledgling security organization is starting to run into some significant relationship challenges. As we're beginning to build our information security program from scratch, we're causing some friction.

In my company, information security is part of the IT department, but like several other IT disciplines, it reports directly to the CIO. As a result, the infosec and IT support teams are peers, a relationship as uneasy as that of siblings. Over the past couple of weeks, tensions between our teams have been rising sharply. In fact, we could be looking at full-scale interdepartmental warfare. How did this come to this pass?

As we try to bring security to an acceptable level, we are introducing new policies and standards that are being met with hostility by the IT support teams. They will have to perform some of the remediation we have identified, such as patching and updating devices, cleaning up firewall rules and implementing redundant systems. So, basically we are telling them what to do -- which they interpret as telling them how to do their jobs. And they don't like that.

This company does not tolerate change well, and the reaction has been less than mature. In fact, the company displays the lowest level of organizational and personal maturity that I have ever seen, and this attitude is apparent in our dealings with the rest of the IT organization. Reactions have ranged from pushback in response to the demands we have placed on the server teams to finger-pointing and name-calling.

When you apply ISO 27001 criteria to this company's security processes, the shortcomings are clear. Most of the processes are ad hoc and chaotic, depend on heroics, and rely on key people with specific knowledge and unique skill sets. What I want to do is to introduce a higher level of organizational maturity, with repeatable processes, common language and defined tasks. I hope one day soon to have uniform processes based on well-defined policies and solid methodologies.

But that is in the future. For now, we are trying to improve our corporate maturity by advocating a better set of practices, and that isn't going over well. And the information security team is the only group attempting to do this. Not Winning Allies

The result so far has been ugly. All of the IT departments are complaining that infosec is asking too much. They are complaining loudly and with varying levels of tact (none of which are very tactful at all). While upper management remains confident that my group is doing the right thing, our stock among our peers is sharply declining, and they don't want to deal with us.

So far, we've taken a standard conflict-management approach to this situation. We are listening to all concerns, trying to find reasonable solutions and making sure we collaborate on everything. This hasn't been as successful as I'd like, although admittedly, things could be much worse. But we're losing traction, and the other IT teams are turning away from information security.

I'd hate to think that my only option is to bring down the hammer of the CIO. If we really are looking at interdepartmental war, that would have to be considered the nuclear option. Though it could help us accomplish what we want to get done, it would devastate relationships. I have to bear in mind that in winning this battle, we could lose the war of ongoing security improvement.

What we need right now are allies. But it's hard to see where to find them at this point in time.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at jf.rice@engineer.com. Join in To join in the discussions about security, go to computerworld.com/blogs/security

Related:

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon