“There’s another name for traffic wardens. Revenue Protection Inspectors is one.”
Some crevices of civilisation attract the traffic warden personality. We see them lurking in children’s sporting competitions, in business communities, in our social lives where they slip just under the anti-bullying-bar. In popular culture we know them as Jobsworths, popularised by television (That’s Life) and in film (Beatles’ Help).
One particular organisational Petri-dish for this is the Business Risk discipline. Particularly when dealing with regulated systems security.
The information systems security advisor, ossified into making a business decision reacts by reducing personal risk, without regard for the contingent business implications. Imagine that there is a business imperative to post a letter. The post box is on the street corner; the street corner has double yellow lines.
The security advisor’s solution: “The Road Traffic Act says one can’t park on double yellow lines. You must park in the town-centre car park and catch a bus to the post box. I’m not making a decision, but I can document the risks and ask someone else to break the law”.
The risk opinion goes up the tree, no one wants to challenge perfectly reasonable logic until the business unit who wants to post the letter realises the additional costs and then does their own analysis:
The pragmatic business: “We could be purists, at huge cost, or we could park up and take a chance. But what I think we’ll do is drive with a colleague, park up, I’ll jump out why my colleague keeps watch and drives round the block if anyone comes.”
The answer to this behaviour lies in the interstices of security and risk. The security purist says “no”, the risk manager says “no but”. Unlearning behaviour is hard, the information security trade tends to attract a certain personality type who is personally risk averse, prone to pedantry and tends to think in the language of protection, defence, doing less and stopping things happening. Turning our security teams into business teams is a start, followed by extracting security from IT and reporting into the business, or at least the business risk function.
Making a decision is scary, but extracting value from the risk teams means empowering and enforcing decision-making behaviour, viewing security as a tool to enable business imperatives, changing the language we use to reflect that security can help an organisation grow as well as defend. There are many examples of this: from the trivial of bringing your own iPad through to enabling secure financial transactions and using security as a selling point.
If we don’t do this, we risk the security trade being relegated to the organisational cul-de-sacs where their deontological minds will ensure they are perceived as an Immanuel Kant and called Traffic Warden behind their backs.Tweet