Categories
Welcome to the second blog in our special series, Mitigating Gartner’s Network Security Worst Practices.
In this blog we’ll cover “The Culture of No”. According to research by Gartner, “Many Gartner clients make statements along the lines of “those IT folks prevent us from doing our jobs.” They specifically cite that security departments implement policy and controls without regard for business function.[1]” Does this sound familiar?
The solution is twofold, as is often the case. We know the first step requires a change in culture and attitude. One CISO I recently spoke with forbids his team from using words such as “no” and “can’t” and makes them replace these words with “how?. Surprisingly, this isn’t just the right thing to do from a business enablement standpoint; it’s also the right thing to do from a security standpoint. Users who are constantly blocked by security from doing their work will find a way to bypass those controls, most likely using less secure platforms. Just in case you have been sleeping under a rock for the past 5 years, anyone with a credit card can now spin up their own machine on Amazon in minutes, away from IT’s prying eyes. And of course there are readily available services such as Dropbox for storing information.
But there is another reason why security and IT often stand in the way of business – and we know that is lack of visibility and control over how their actions impact business functions. Without such visibility, it’s easy to revert to the lowest common denominator – forbid it. This is where security policy management solutions can help. With relatively new and innovative solutions that offer visibility and control of application connectivity requirements, network and security practitioners can rise above the bits, bytes and IP addresses and see how enabling (or removing) access impacts business services. This visibility can also take the security and compliance mandates of your organization into consideration.
Sometimes a good reason for saying no may exist, such as a PCI-DSS violation, but with the right solution, security will have the data in its hands to justify the decision, as opposed to just being a naysayer. With proper visibility and control, most business requests can be safely enabled, moving your business forward, and making you more popular at the next office party.
About the Mitigating Gartner’s Network Security Worst Practices Blog Series
In this special blog series we’re taking a deeper dive into the network security worst practices identified by Gartner, and are examining how each of the 9 worst practices that we specifically address can be mitigated using automated security policy management.
[1] Source: Gartner, Avoid these “Dirty Dozen” Network Security Worst Practices, by Andrew Lerner, Jeremy D’Hoinne, January 8, 2015.
Subscribe to Blog
Receive notifications of new posts by email.
