Another "security should know business" post – but this one is small
on January 29, 2008 at 3:49 pmI just read an article over at SearchSecurity.com that was talking about the security issues of opening an IPsec tunnel to a partner in order to secure some file transfers. But the real thing that got to me was the person asking the question, as the author of the post pointed out, seemed to have some type of issue with the IT guy because he would not open up a port to help out.
Of course, there is no real explanation behind what the guy was trying to accomplish and what ports he wanted open. He might have been asking for something totally ludicrous for all I know. But the main point comes towards the end of the article:
Remember, business and security professionals are all on the same team, trying to achieve the same mission. They do, however, have different perspectives on what’s best for the organization. Put yourself in your counterparts’ shoes and try to understand that they’re attempting to manage the risk to the business.
I agree with sentence one. I agree with sentence three. However, sentence two makes no sense to me. The security departments perspective may be different, but what’s best for the company should not be. Yes, they should have a say so. Yes, they should be crucial to the decision making process on what is best for the company. Yes, they should write policy for management to approve. But management makes the decision on what is best, and once that decision is made, the security department should follow that decision. Again, their perspective may be different, but they cannot decide what is best for the organization. If they are doing that, then the company is being run backwards.
Don’t get me wrong. The guy making the request has the same responsibility. The company is run by management, and if he is trying to force something down security’s throat, then he deserves the push back. Everyone should be trying to abide by the decisions of management, which hopefully is what is best for the company.
Now, if the decision making by management is horrible, then obviously one has to decide if it is time to fish or cut bait.
Vet
