Security and IT managers need to understand the business

When it comes to security and IT in general, does the exec need to change, or do we? That is a question that Pete Lindstrom answers here, and though I have had my differences of opinion with Mr. Lindstrom, I think he is dead on this time.

Mr. Lindstrom's post is directed at Marcus Ranum's latest podcast, which I have not heard, so I cannot directly comment on his criticism. However, I can say that Pete makes a great point when he says, "We don't try hard enough to understand business problems." I can't say it surprises me when IT people gripe about management. There have been enough times when I was guilty of that. And there have been times when the griping was justified because the exec made completely bone-headed decisions that left my network wide open to attack (like the whole "security figurehead" issue I keep bringing up). But at the same time, exec's have a pool of money to spend, and they have to make decisions on where to spend that money. Unfortunately, IT is not the only place where it has to be spent. Do average spending percentages need to be increased in most companies? Probably. But ranting and raving at an executive or your buddies about it is not going to get anything done. If we are going to make any progress at all, we have to understand the business implications, and we have to work within those strictures. Better to have something done by working with the exec rather than nothing at all getting done because all we did was moan about our plight.

I found a perfect example of this yesterday. I was in a meeting with a potential client yesterday, and he mentioned that he was in the midst of an SAP implementation (I know... ouch). The comment that he made was that the SAP project committee was not chaired by IT. They thought that it would be a better idea to have a business unit manager head it up, since this was primarily a business application. I congratulated him on his right-thinking and maturity in making that decision. He is the IT director, yet he knew that a business does not exist to create a job for IT folks and have them look down on everyone because they know the company would crash around their ears if they decided to not do their jobs. IT should be in place to help the business run. IT is a business enabler.

Security as well should not hamper business. Security is there to protect without hindering. That is a fine line, and it is sometimes very frustrating. But the job of a security manager is to make management understand that there are risks, what those risks are, and how those risks can be mitigated. Basically, the security manager's job is to give choices, enable those choices, and live with the choices that are made. That is maturity.

Security and IT managers need to understand the business

When it comes to security and IT in general, does the exec need to change, or do we? That is a question that Pete Lindstrom answers here, and though I have had my differences of opinion with Mr. Lindstrom, I think he is dead on this time. Mr. Lindstrom's post is directed at Marcus Ranum's latest podcast, which I have not heard, so I cannot directly comment on his criticism. However, I can say that Pete makes a great point when he says, "We don't try hard enough to understand business problems." I can't say it surprises me when IT people gripe about management. There have been enough times when I was guilty of that. And there have been times when the griping was justified because the exec made completely bone-headed decisions that left my network wide open to attack (like the whole "security figurehead" issue I keep bringing up). But at the same time, exec's have a pool of money to spend, and they have to make decisions on where to spend that money. Unfortunately, IT is not the only place where it has to be spent. Do average spending percentages need to be increased in most companies? Probably. But ranting and raving at an executive or your buddies about it is not going to get anything done. If we are going to make any progress at all, we have to understand the business implications, and we have to work within those strictures. Better to have something done by working with the exec rather than nothing at all getting done because all we did was moan about our plight.

Security and IT managers need to understand the business

When it comes to security and IT in general, does the exec need to change, or do we? That is a question that Pete Lindstrom answers here, and though I have had my differences of opinion with Mr. Lindstrom, I think he is dead on this time.

Shark Tank: It's about time

One executive at this company is always concerned about staffers being on time for work, arriving to meetings on time and not leaving early, reports an IT pilot fish there. "To alleviate this problem, he decides that we should have a clock on our intranet site that is synced to the atomic clock, so that staff members can set their watches to it whenever necessary -- probably hourly," fish says. "This task is passed to my manager, who passes it to me."

Shark Tank: It's about time

One executive at this company is always concerned about staffers being on time for work, arriving to meetings on time and not leaving early, reports an IT pilot fish there. "To alleviate this problem, he decides that we should have a clock on our intranet site that is synced to the atomic clock, so that staff members can set their watches to it whenever necessary -- probably hourly," fish says. "This task is passed to my manager, who passes it to me."

Shark Tank: Yep, that would explain it

A client/server application lets this organization's inside salespeople place customer orders at the prices quoted by the sales reps on the street. But something's not quite right, reports a pilot fish in the know."Back in November, we started having problems with a particular division," fish says. "Every morning, every order in the division's order log would delete."