To draw a close to the Agility keynote sessions this week, Nathaniel Callens, F5 Chief Information Security Officer, gave us an insight into the mind of a security professional. Considered by many as “the department that says ‘no’”, he wanted to help customers and partners better engage with security teams. His message: think like a security expert and you’ll be far more likely to make headway, rather than receive push back from those trying to manage the risk to the business.
The challenge for security teams is that they are battling on a number of fronts. With application proliferation, they need to work with multiple vendors in order to protect on all fronts. The cloud has increased the number of environments which need to be managed, while internal users also make mistakes and don’t always follow the agreed protocols. Set against this backdrop are the challenges of ensuring the business has measures in place to protects data and applications between them and the user, on a session by session basis. This increased complexity, and often cost, can lead to a tricky environment when you approach the team asking for another application or tool to be delivered to the business or customers, securely.
He wanted to stress the importance of remembering everyone’s in it together. Information security is, of course, a common concern for companies across the globe; our most effective way of keeping ahead of those trying to do harm is to collaborate. With new threats appearing on a daily basis, regulations changing at an increased pace and billions of new devices coming online, it’s no wonder that the security team has often developed a cautious tone – one which the wider business can interpret as a ‘no’ mentality. So how can we get past this and ensure that the business has access to the right tools at the right time and ensure that productivity is balanced with security?
His number one piece of advice was putting yourself in the security expert’s shoes. By getting to know them and understanding whether their number one focus is on the network, applications, data or infrastructure, you’ll be equipped to kick off the conversation in a way which will engage them effectively.
But it’s not just down to the wider business to engage with the security team more effectively. I would also urge security personnel to ensure that they use facts, not fear, when outlining policies to the wider business. Yes, security tools and their deployment can be complex, but businesses also want to be able to innovate, without security holding them up. By meeting in the middle, both security teams and the wider business can stay on the same page and ensure the best possible outcome for all. As my colleague Nathaniel says, the key is to “collaborate, collaborate, collaborate” both within organisations and across businesses and industries.