Sometimes it feels like IT teams just don't get it. We've had numerous meetings with vendors where the business comes in excited only to have IT / InfoSec pour water all over it. What does it take to shift the mindset from 'Let's block this' to 'How do we make this happen together'?


4.5k views5 Upvotes19 Comments

GVP in Software, 10,001+ employees
When I was on the vendor side, we often used to come across security teams and individuals whose job (it seemed) was just to say "no".

For us, the way to circumvent these was to give our champion and budget holder a strong reason to move forward. If the business value was there, they would fight the fight for us.

This is also why "Shadow IT" continues to grow.  and  would love your thoughts.
1 2 Replies
CTO in Software, 11 - 50 employees

I've written/spoken quite a lot over the years about Shadow IT

https://www.cio.com/article/3199236/is-shadow-it-something-cios-should-worry-about.html

https://medium.com/@mdkail/how-can-cios-can-get-ahead-of-shadow-it-1604937598de

https://www.netskope.com/press-releases/netskopes-ceo-wants-you-to-let-your-users-go-rogue

Still love Netskope's "Allow is the New Block" slogan

3
Partner in Software, 1,001 - 5,000 employees

Large majority of InfoSec teams are fine working with vendors and start ups as long as they are able to demonstrate in clear terms that they care about security, have laid a good foundation, have plans and have a clear thought process on how to protect customer data. My strong advice is to provide a security narrative or guidance document which is not boiler plate and templates that talks to these points. Lastly I would advocate for vendors to be proactive in wanting to talk with security teams rather than try to go around them.

1
Senior Information Security Manager in Software, 501 - 1,000 employees
Security can at times be the great disabler. Often for legitimate reasons.

 

To get in front of that, identify in advance what their objections may be.  Show that you have considered them and why they can be accepted or mitigated.

 

If you come to the table well-researched with legitimate data, they will likely be more on your side.
1 3 Replies
GVP in Software, 10,001+ employees

Thanks Ben, great answer. Is there a cultural aspect to this as well? If so, is it a top-down thing or bottom-up thing?

1
Senior Information Security Manager in Software, 501 - 1,000 employees

It’s such a broad answer.

Sometimes in security it is a power thing. They just want to block everything.

Sometimes it politics.

Sometimes it’s laziness. If they block the project they don’t have to work to secure it.

But if security is blocking everything, there is a problem there.

1
Executive Architect in Healthcare and Biotech, 10,001+ employees

This reminds me of how healthcare IT organizations would push back on digital transformation and cloud-based application modernization opportunities because of concerns about HIPAA compliance.  Especially while paper-based health records and clinicians' desktop screens were often left unsecured.   In actuality we've had the identity and data security necessary for some time now thanks to our more motivated IT colleagues in financial services.   The silver lining of Covid-19 is that it has forced these same organizations to move towards greater digital engagement between patients and providers, and we're seeing improvements that were a long time coming.

2
Chief Information Officer in Manufacturing, 10,001+ employees
I think the issue is technical vs. business acumen. Most IT folks can't translate technical into a conversation people can understand, but also sometimes they are thinking too logical about the reality of a straight forward task list for a project instead of looking at alternative routes. They speak too soon without delving into that side of the equation. It took me a couple years to figure that out and a great mentor who taught me how to know who my audience was.
1
Director - IT Infrastructure - Databases and eBusiness Specializing in Information Technology in Retail, 1,001 - 5,000 employees
True,  Business comes back to us saying can we have this in the phase 2 of the project because this may hinder our go live time line?. We explain the pros and cons of the impact to the company and we cant compromise with the security of the company and this has to be scoped into the project from the beginning. what are the additional cost they have to incur due to security setups like MFA/SSO and other security ring fenced to build and protect PII or any valuable assets
1
CTO in Software, 201 - 500 employees
I think this is mostly an organizational change management issue (almost like any other). A would suggest a couple of approaches that work best together - 1) adopting DevSecOps way of doing things with the main focus being on the joint ownership of tasks and initiatives, an integrated and empowered team is the key; 2) shifting Security as far left as possible, if you want a can-do attitude and cooperation you need to be inclusive from the onset. When there's a joint ownership with a common goal of gettings things done, miracles happen :)
2
CIO, Senior VP in Finance (non-banking), 1,001 - 5,000 employees
Bring IT in during the first meeting. In fact, do it while you are still thinking about new technology. don't wait. treat them like the experts they are.  Make sure they know that the systems, and all the hard work they have done to secure it, monitor and provision it is valued.
3
Senior Security and Compliance Auditor in Software, 1,001 - 5,000 employees
I think it's important to have a published (Internally) and agreed upon weighted criteria for any solution being considered.  Functionality, Security, Compliance, Recoverability, Integration with other tools, usability, etc...  This will filter out weaker vendors from the start.  Its easy to annoy IT and Security with flavor-of-the-month solutions, since there is always something shinier but it may require tons of effort for only ounces of gain over what you already have.  The weighted process (even for demos not just RFPs...) will get everyone on the same page as it highlights the vendor shortcomings in a specific way that they can be addressed (solution needs MFA).  This provides a path for a "No" to change to a "Yes" once changes to the solution are made.  With the required criteria in place, non-IT business areas will begin raising those key technical requirements with vendors before engaging IT.  All that said there still needs to be a well thought out proposal to justify the effort, bandwidth, and costs as all of these are limited in some way.
2
Director of Educational & Information Technology in Education, 201 - 500 employees
This is very much a function of when IT is included in the process. Is it after the business unit has decided on the whole project and has selected a vendor and just wants "implementation" without feedback? I have found the most success comes from a very early meeting between the business unit and IT, when the goals and limitations of the project are being discussed, that results in the most success. When IT is included from the early stages so that security and operational issues can be identified and mitigated, resistance is minimal.
1
Chief Information Officer in Healthcare and Biotech, 1,001 - 5,000 employees
I suspect this is a common occurrence in many organizations. There is a fine line between the InfoSec team being perceived as a partner or perceived as a “gate keeper”. More mature InfoSec teams are considered essential partners by the business side of an organization. It takes a lot of work and trust for an InfoSec team to be perceived as a partner instead of a gate keeper. The best way for an InfoSec team to develop trust with the business is to speak the business’s language, share the same business goals and to demonstrate value beyond technology implementation.
Engineer, Self-employed
Depends on what "this" is. If this is switching from a monolithic architecture to a microservices architecture, maybe it isn't worth the effort. 
You could start by doing a cost evaluation. If you pay an employee every month to do a task that can be automated, then that is money back in the company's pocket. The employee now gets to do something fun instead of something mundane.
If the task is something like "make pulse.qa mobile compatible" then your cost analysis would include how much business is being lost to mobile users.
1

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
42.6k views131 Upvotes319 Comments

Cost structure26%

Lack of in-house skills to migrate / deploy / manage workloads on cloud51%

Security / governance compliance concerns17%

Lack of performance or features that you have on-prem but not the cloud4%


749 PARTICIPANTS

2.8k views1 Comment

Cyber Security37%

Cloud Computing/Cloud Migration45%

Artificial Intelligence (AI) and Machine Learning (ML)67%

IoT (Internet of Things)30%

Digital Transformation:35%

WFH/Remote Work16%

Legacy Systems Modernization12%

Data Management11%


184 PARTICIPANTS

2.1k views