Sometimes it feels like IT teams just don't get it. We've had numerous meetings with vendors where the business comes in excited only to have IT / InfoSec pour water all over it.What does it take to shift the mindset from 'Let's block this' to 'How do we make this happen together'?

Question

Answer

When I was on the vendor side, we often used to come across security teams and individuals whose job (it seemed) was just to say 'no'.For us, the way to circumvent these was to give our champion and budget holder a strong reason to move forward. If the business value was there, they would fight the fight for us.This is also why 'Shadow IT' continues to grow.  and  would love your thoughts.

Answer

Security can at times be the great disabler. Often for legitimate reasons. To get in front of that, identify in advance what their objections may be.  Show that you have considered them and why they can be accepted or mitigated. If you come to the table well-researched with legitimate data, they will likely be more on your side.

Answer

I think the issue is technical vs. business acumen. Most IT folks can't translate technical into a conversation people can understand, but also sometimes they are thinking too logical about the reality of a straight forward task list for a project instead of looking at alternative routes. They speak too soon without delving into that side of the equation. It took me a couple years to figure that out and a great mentor who taught me how to know who my audience was.

Answer

True,  Business comes back to us saying can we have this in the phase 2 of the project because this may hinder our go live time line?. We explain the pros and cons of the impact to the company and we cant compromise with the security of the company and this has to be scoped into the project from the beginning. what are the additional cost they have to incur due to security setups like MFA/SSO and other security ring fenced to build and protect PII or any valuable assets

Answer

I think this is mostly an organizational change management issue (almost like any other). A would suggest a couple of approaches that work best together - 1) adopting DevSecOps way of doing things with the main focus being on the joint ownership of tasks and initiatives, an integrated and empowered team is the key; 2) shifting Security as far left as possible, if you want a can-do attitude and cooperation you need to be inclusive from the onset. When there's a joint ownership with a common goal of gettings things done, miracles happen :)

Answer

Bring IT in during the first meeting. In fact, do it while you are still thinking about new technology. don't wait. treat them like the experts they are.  Make sure they know that the systems, and all the hard work they have done to secure it, monitor and provision it is valued.

Answer

I think it's important to have a published (Internally) and agreed upon weighted criteria for any solution being considered.  Functionality, Security, Compliance, Recoverability, Integration with other tools, usability, etc...  This will filter out weaker vendors from the start.  Its easy to annoy IT and Security with flavor-of-the-month solutions, since there is always something shinier but it may require tons of effort for only ounces of gain over what you already have.  The weighted process (even for demos not just RFPs...) will get everyone on the same page as it highlights the vendor shortcomings in a specific way that they can be addressed (solution needs MFA).  This provides a path for a 'No' to change to a 'Yes' once changes to the solution are made.  With the required criteria in place, non-IT business areas will begin raising those key technical requirements with vendors before engaging IT.  All that said there still needs to be a well thought out proposal to justify the effort, bandwidth, and costs as all of these are limited in some way.

Answer

This is very much a function of when IT is included in the process. Is it after the business unit has decided on the whole project and has selected a vendor and just wants 'implementation' without feedback? I have found the most success comes from a very early meeting between the business unit and IT, when the goals and limitations of the project are being discussed, that results in the most success. When IT is included from the early stages so that security and operational issues can be identified and mitigated, resistance is minimal.

Answer

I suspect this is a common occurrence in many organizations. There is a fine line between the InfoSec team being perceived as a partner or perceived as a “gate keeper”. More mature InfoSec teams are considered essential partners by the business side of an organization. It takes a lot of work and trust for an InfoSec team to be perceived as a partner instead of a gate keeper. The best way for an InfoSec team to develop trust with the business is to speak the business’s language, share the same business goals and to demonstrate value beyond technology implementation.

Answer

Depends on what 'this' is. If this is switching from a monolithic architecture to a microservices architecture, maybe it isn't worth the effort. You could start by doing a cost evaluation. If you pay an employee every month to do a task that can be automated, then that is money back in the company's pocket. The employee now gets to do something fun instead of something mundane.If the task is something like 'make pulse.qa mobile compatible' then your cost analysis would include how much business is being lost to mobile users.

Answer

This feeling and perception is quite prevalent. There is a little bit of truth on both sides, On one side the vendors are trying to close the deal and are overly optimistic and aggressive about the solution. They don't factor all the security and integration protocols and simplify the solution to a fault. And we all know the devil is in the details. The business stakeholders sometimes build their reality on an over simplified vendor solution and take the questioning from IT and Security as blocking and slowing things down. The way to mitigate is involving IT and Security early in the process. Make them accountable to be part of the due diligence. Good IT orgs standardize the assessment process and that actually speeds up the overall cycle and avoids downstream surprises. This also keeps vendors honest and they can't fudge through the selling cycle early and have to demonstrate the required solution maturity.The resistance from IT and Infosec also happens because they are the ones left with maintaining, patching and owning the solution post implementation. Key here is a partnership model and give them a voice to assess the solution viability early.

Answer

Sometimes its due to costs that the business has not factored in, sometimes it is really due to relevant security/privacy/compliance items that need to be addressed.  In other cases it is because IT or security doesnt fully understand the business and thus its needs.  To shift the mindset I would shift the mission/focus of the teams and for security the mission has been for me 'Protect to Enable'.  Protect to Enable the people, the data, and the business.  That doesnt mean security should always say yes or allow anything the business wants to happen - especially if the risk is sufficient.  But a Protect to Enable mindset/mission with the right leader in place should address this issue

Answer

I’m in education, therefore I consistently remind my team that we don’t exist for storage, backup or email. Rather we exist to transform lives in the classroom. All of these technologies enable that and therefore we do them. Keeping the focus on the reason for existence helps a lot. Further as IT leadership, it is incumbent on me to keep them focused on business objectives.

Answer

I think IT gets it. Involving IT from the start before the business gets excited can also help.