Larry Hughes has a great post over on Riskbloggers with tips on how to demonstrate that security is invested in the success of the business. There’s some really good stuff here. Especially these two:
Say “no” by saying “yes.” Somebody wants to uncork that remote access bottle, and let a thousand new contractors VPN into the corporate net from anywhere in the world with their own laptops? Of course you’d like to help them explore how they can meet their objectives in a way that’s neutral to the business’ security posture.
I can’t agree with this one more. The only thing I’ve seen that gets more traction and people playing nice with us is a major security event. All saying no does is to make things more confrontational and put everyone in a resistant mood. So you want to avoid that, unless of course you like being called “Dr. No”. By saying “How can I help?”, you are putting yourself in a position where you are making things happen, not being a roadblock.
Learn when to say “That’s good enough for now.” Scratching and clawing for every inch of ground this time, because you know how hard it’ll be next time, only leaves you with bloody fingernails. Nobody wants to buy things from people with bloody fingernails.
As Ken Van Wyck and Mark Graff remind us Secure Coding, it’s not about being secure. It’s about being secure enough. It’s never going to be perfect, so the question is whether there is enough protection from threats for the foreseeable future.
This is similar to how we need need to understand how businesses work. But we also need to understand how people work and learn how to interact with them better. As usual the people are indeed the weakest link, but in this case, it is us.