I would pose two questions: Are you playing offense or defense? Are you playing to win or to not lose?
Most organizations play defense. They play to not loose. When you are on defense it means that the other guys (the bad guys) are on offense. They are in control. Organizations on defense, organizations who are playing to not loose, are motivated, by fear. Talk to most IT security folks and they will spend their time telling you about all of the bad things just waiting to happen. True, it is a dangerous world out there and there are bad guys lurking in cyberspace, but too often IT organizations use the vague fear of a “security incident” as a convenient excuse to avoid being the innovators that organizations desperately need. The constant drumbeat of “we can’t do that because it isn’t secure” gets old pretty quickly.
So how does one play offense? How does an organization’s security function play to win and in doing so turn security from a constraint into an opportunity? Here are three suggestions.
1. Master the basics- Football legend Vince Lombardi famously began each year’s Green Bay Packers training camp by assembling all of the players (remember, these guys had frequently won the NFL championship the year before), holding up a football, and saying, “Gentlemen, this is a football.” He always started with the basics, no matter how good they thought they were. Master the basics of cyber security. Have the proper safeguards, policies and internal practices in place. Get your own house in order.
2. Explain why and how- Engage the organizations employees (the whole organization, not just IT) in a constructive and ongoing dialog about WHY cyber security is important, their role in it, and HOW they contribute. Train people to be responsible instead of fearful. Use language that they can relate to. Awareness is the first step towards prevention.
3. Dialog not dictates- “We can’t do that, it isn’t secure.” How many times to people in your organization use these words as a first response to anything new? More than you think, I bet. Approach new initiatives and opportunities from the prospective of “How can we make this work” instead of “We can’t do that.” Don’t be reckless but don’t be lazy and stubborn either. It may take some work to figure out a workable solution but after all, isn’t that what you are being paid for?