It is high-time the Information controls (especially Information security controls) move into a mode of ‘Protecting’ (‘Provide and Protect’ – the phrase I borrowed from a colleague, as I liked it very much! or even better: “Protect and enable“) than ‘Controlling’.

Many organizations get into a false sense of achievement in ‘control’ and ‘compliance’  by putting stringent information security controls (technical or procedural) – to the extend of restricting or handicapping the business itself!

Here are a couple real-life cases I had experienced recently:

  • In a global organization where they hired me as a consultant – I had to go in to discussions with just a notepad; as getting an external laptop inside involved a huge procedure and a series of justifications and approvals! The team didnt find it ‘worth the pain’. Talk about productive output from an external consultant you are hiring!
  • A corporate where i was conducting ITIL workshops opted NOT to go for a prometric exam conducted in their premise (though we all agreed that could be the most optimal and cost effective option for them) – Since getting an external server connected to their network involved (in their words), ‘too much of procedures’ and ‘too much of pain to get all approvals etc’.

Here we can argue on all the sides – justifying the actions of all parties involved, with fairly genuine arguments on all sides.

Add on to this – a negative perception created in the mind of business users. 

Here is a real-life question I got from a person who worked in IT industry (not in the IT or Information Security department, but in the software development side) for more than a decade:

‘The IT team who are controlling the information security and put all the controls in what ever we communicate, uses etc. But they have full access to the entire information: be it mails, data, customer confidential data, anything. So what confidentiality you are talking about?’   (Look at the level of awareness, trust and confidence!!) I could explain and try to convince one person – but the point is about the bigger issue of awareness and acceptance!

 To summary could be- the Information Security Controls are delivering the objective as the name suggests:  it is controlling (read ‘restricting’) the business activities.  But is it delivering the actual objective and value?

With my limited understanding of the internal policies, requirements etc of those organizations quoted above, I could see the following clear failure points :

  1. Complexity of the controls
  2. Lack of involvement from various stake holders in defining and implementing controls – in the real sense of ‘business requirements and priorities’
  3. Lack of ‘value’ seen by the stake holders – or lack of awareness.

How do we make Information Security do away the image of ‘controlling’ and  ‘policing’ that it holds currently?

How do we make Information Security as a business ‘protector and enabler’ as it should be?

I think ansers to these questions will make Information Security more visible, effectice and efficient in organizations.