Clients hire Neohapsis for many reasons: our expertise, our perspective as impartial outsiders, and our commitment to executing projects efficiently and expertly are just a few reasons. But while working with clients, an important sub task that I try to accomplish is to help them change the way they interact with the rest of their business – to get security departments to think and act like consultants. It’s easy for people working in IT, and those in Security in particular, to get caught up in their day to day activities. There’s always a new fire to be contained or technical hurdle to overcome. But while doing so, it’s important to understand how these activities are helping enable the business to continue to meet its overall goals. The most effective consultants understand their role: to be the trusted advisor. Internal security professionals can take on this same role within the company. Their departments have the responsibility of ensuring that risks are appropriately mitigated and that the business can continue to function smoothly in the face of constant external and internal threats. The core business can be viewed as a client of the security team, who is engaging security for assistance and reassurance that their day-to-day activities aren’t putting the business at a risk.
I’ve been working with one of our clients recently to help one of their business units engage more effectively with the internal security organization. In the past, the business unit handled many IT activities themselves, acting as a de facto independent IT department. While they are effective at running their own business, they did not have a security team focusing on their organization, so security concerns were often overlooked. When I began working with the team, I found out that one of their main complaints with asking the security organization for assistance was lack of responsiveness. I’ve helped set this organization up for future success by serving as a liaison between these two parts of the business, facilitating better communication on both sides. The business unit has a central point of contact for security concerns, who can funnel them to the right people in the security organization; and the security organization has someone aware of most of the business unit’s projects and activities, which helps them cut through the confusion that can happen with disparate teams.
Security professionals must be both advisor and enforcer at the same time. It’s tempting to get caught up in enforcing security for security’s sake – but it is important to remember that the ultimate goal of a security professional must be to help the core business be successful.