Help the business meet requirements (stop saying no)
/One of the biggest problems I see in information security or cybersecurity is infosec professionals instantly saying no and basically ending the discussion when the business proposes a change/addition to the environment.
Whether it is a small change, such as a new plugin purchased for Excel, or a large change, such as moving all data to a cloud provider, infosec professionals must understand the business/company/customers and their requirements/needs. Will people in the company have bad ideas? Of course. I mean, they aren’t security or IT experts. You will hear things like we must use or do x, because it will make our jobs easier, put us ahead of the competition, benefits our clients, etc. If the idea has picked up steam and is now a project, you might as well understand it is/will happen…with, or without, your help. I see a lot of infosec professionals after hearing the “sales pitch” from someone in the business, they say something to the effect of it is a terrible idea, it isn’t secure and there’s no way we can do it. I think the correct answer would be something more along the lines of let us take a look and we will get back to you shortly. Of course by shortly, I mean a few days, unless your business has a more defined procedure.
Why do I say you should say let’s analyze it first instead of even throwing out the word no?...well, the business is going to do something regardless of infosec’s ruling and will do it very soon. If the infosec team stone walls the business by saying no and/or ignoring/delaying them (hence why I said give them an answer soon), they will go around infosec. Instead of trying to secure something which may be difficult to secure, why not understand their requirements and work with the business. You can possibly find the best option and propose it back to the business saying things like this option is more secure, fulfills your requirements, and also has more features/benefits than your original option. Not assisting, just means you may be stuck with more work later when trying to find a way to secure their selection.
The more infosec works against the business, the more they will be hesitant to involve infosec early so they can assist in the planning and the more likely the business will circumvent infosec all together. When the business plans without infosec input or circumvents infosec, we all know that leads to problems. It will be harder to implement security late in the process or, even worse, after a project has been rolled out. When I see the business circumventing the infosec team or extremely hesitant to involve them in the planning process, I instantly get the feeling infosec is just "not playing well with others" and I just want to ask, "Can't we all just get along?" :) In all seriousness though, it is extremely important for the infosec team to work with the business instead of against it. Do your best to turn a "no" or "it's not possible" into a "yes, we can work with you to get this done and implemented securely."