Sometimes it feels like IT teams just don't get it. We've had numerous meetings with vendors where the business comes in excited only to have IT / InfoSec pour water all over it. What does it take to shift the mindset from 'Let's block this' to 'How do we make this happen together'?
To get in front of that, identify in advance what their objections may be. Show that you have considered them and why they can be accepted or mitigated.
If you come to the table well-researched with legitimate data, they will likely be more on your side.
Thanks Ben, great answer. Is there a cultural aspect to this as well? If so, is it a top-down thing or bottom-up thing?
It’s such a broad answer.
Sometimes in security it is a power thing. They just want to block everything.
Sometimes it politics.
Sometimes it’s laziness. If they block the project they don’t have to work to secure it.
But if security is blocking everything, there is a problem there.
This reminds me of how healthcare IT organizations would push back on digital transformation and cloud-based application modernization opportunities because of concerns about HIPAA compliance. Especially while paper-based health records and clinicians' desktop screens were often left unsecured. In actuality we've had the identity and data security necessary for some time now thanks to our more motivated IT colleagues in financial services. The silver lining of Covid-19 is that it has forced these same organizations to move towards greater digital engagement between patients and providers, and we're seeing improvements that were a long time coming.
You could start by doing a cost evaluation. If you pay an employee every month to do a task that can be automated, then that is money back in the company's pocket. The employee now gets to do something fun instead of something mundane.
If the task is something like "make pulse.qa mobile compatible" then your cost analysis would include how much business is being lost to mobile users.
Content you might like
Cost structure26%
Lack of in-house skills to migrate / deploy / manage workloads on cloud51%
Security / governance compliance concerns17%
Lack of performance or features that you have on-prem but not the cloud4%
Cyber Security37%
Cloud Computing/Cloud Migration45%
Artificial Intelligence (AI) and Machine Learning (ML)67%
IoT (Internet of Things)30%
Digital Transformation:35%
WFH/Remote Work16%
Legacy Systems Modernization12%
Data Management11%
For us, the way to circumvent these was to give our champion and budget holder a strong reason to move forward. If the business value was there, they would fight the fight for us.
This is also why "Shadow IT" continues to grow. and would love your thoughts.
I've written/spoken quite a lot over the years about Shadow IT
https://www.cio.com/article/3199236/is-shadow-it-something-cios-should-worry-about.html
https://medium.com/@mdkail/how-can-cios-can-get-ahead-of-shadow-it-1604937598de
https://www.netskope.com/press-releases/netskopes-ceo-wants-you-to-let-your-users-go-rogue
Still love Netskope's "Allow is the New Block" slogan
Large majority of InfoSec teams are fine working with vendors and start ups as long as they are able to demonstrate in clear terms that they care about security, have laid a good foundation, have plans and have a clear thought process on how to protect customer data. My strong advice is to provide a security narrative or guidance document which is not boiler plate and templates that talks to these points. Lastly I would advocate for vendors to be proactive in wanting to talk with security teams rather than try to go around them.