When does InfoSec cajoling turn into being a pain? Can our approach be counterproductive?
I recently chatted to a chum of mine about an incident at work. I believe it’s a lesson in the wrong approach by InfoSec staff and a cautionary tale for all of us on how not to do it.
I’m not naming any names here to protect internal relations, but let’s call the person Geoff and say they work for the Council. And there is some artistic licence applied for emphasis.
Geoff has a project promoting access for 3rd Sector workers, and part of this involves getting them access to the data they require to deliver services for the council. It’s Big Society in action, and whatever your views on this, it’s happening. External access to data is a huge topic in Public Sector right now, because of the Open Data initiatives. Add in the whole consumerisation piece and data access is set to become one of the topics du jour right now.
Anyway, Geoff decides to go and see his chums in the security team. And I am sorry to say that it didn’t go well. Most of the session involves Geoff being lectured on how he should be doing his job (and he’s quite experienced in IT), and at no time was a solution proffered. No, he was told, we cannot do this. But says Geoff, if we can authorise and authenticate the nice people at the Charity, and we get the necessary approvals from a DP stance, surely we can do it? No, says security. It’s too difficult, and anyway, we don’t see the business benefit. Geoff gets very frustrated: explaining to him how to do his job is at best unhelpful, and the world has changed.
Anybody that has had a run in with a shopping mall security guard will recognise the approach. My daughter (9) got told off for taking pictures of shops in our local mall by a chap with a hat and a walkie talkie. No explanation was offered by the gorilla as to why she could take pictures, and no reasoning was to be had. Making a nine-year-old cry will only get you one thing – a serious falling out with the little girl’s father (it was only a wifely intervention that stopped said security guard wearing his torch somewhere inconvenient).
InfoSec people standing in the way of projects for no better reason than the fact that they can’t see the reason for doing something is not good enough. We cannot possibly always understand the reason why something needs doing, but if we genuinely are going to act as enablers for the radical changes required in the Public Sector over the next few years, we need to trust our colleagues and offer a flexible approach.
It’s not our job anymore to say no. It’s our job to try and say yes, with all the subtle connotations this involves.