While some people still believe that data protection and information security require different skill sets (and they are correct), they further believe that each discipline does “just fine thank you” when operating in isolation. This last belief is as wrong as believing that nobody will hack your home computer because it is not valuable. (But that’s another topic.)
In reality these are two vital elements of a Mature Information Management Model (MIMM). Thus model, still in the process of being understood, assigns real value to the work that people perform. At the heart of any business lies the idea of value. Barter economies understood value well. The apple-grower exchanged food value in a bag of apples to the black smith for the value of skill putting on horse shoes. The young woman today, receiving value for her time and skill at the Insurance Agency, exchanges part of her salary to buy an iPad ® for the communication and entertainment value it provides. Value transfer is a key step in any business. Each datum in your system is a record of a process step in value transfer.
We first replaced the bag of apples with a handful of paper bills. We then replaced the paper money with electronic money in the form of data. And here is where the problems begin. While there is a long historical record of securely handling gold and money, data management has a different perspective. Business rewards IT workers for low-cost, high speed and operational stability. While these are good goals, not adding Information Protection into primary business requirements causes data loss, and added costs for security remediation later. We spend more and get less. I humbly suggest this is not an optimal approach.
Collaboration is not easy because the security folk, alone in their isolated cubicles, wearing black T-shirts and listening to Trance music whilst drinking Red Bull®, live in a battlefield world where malicious hackers and organized crime attack the enterprise relentlessly. Further, they may have been told that meddling with business processes lies outside their duties. They are often unwanted guests at meetings. Thus, their Red Bull and nighttime game-playing involving military attacks on an enemy, may or may not, represent in their mind a person who gave them a difficult problem that day.
To link security expertise to the business at the right time, here’s an approach that might just be crazy enough to work. Get the project teams and security together to discuss requirements before they are finalized. I know this sounds wild, but we need to free our minds and jump over the street to the other skyscraper….. no, wait, that was in The Matrix;. We must be willing to get together in a non-confrontational manner and talk about risks and dangers.
It has been my experience that at this stage of a software or business process development, eliminating security issues can be easily managed with small changes in system design or operations, with no loss in speed or productivity. (Italics mine, since I wrote it in the first place.) Such meetings happening before project requirements are finalized also generally result in process improvements. Socrates said, “The unexamined life is not worth living.” I say “the unexamined business process is full of stupid.”