Recently I was reminded of how helpful it can be for business leaders to set clear boundaries with security/IT for what is, and is not, open for discussion. I was both shocked and encouraged by what the leader said to the room.
I was listening in on a workshop comprised of mostly security, infrastructure, and DevOps engineers. As is typical for these types of events, the teams were debating techie details, what is/is not possible, and otherwise going in circles. In the midst of this, a senior business leader stood in front of the room and said (paraphrasing): “The business has made the decision to do X, by date Y. You are tasked with delivering it. Within those constraints, we can and should discuss how best to go about it. But we are not here to decide if it should be done or not. That decision has already been made.”
You could’ve heard a pin drop. It was awesome.
There was some grumbling around the water cooler at the break, but the entire tone of the meeting changed after this point. Basically, people stopped being part of the problem, and started to become part of the solution.
For sure, it’s foolish for business leaders to embrace change when they are focused on the rewards without also understanding the risks. The role of the security team is to provide this guidance.
But at the end of the day, the only reason any of us have a job in tech/security is because we work for successful, ambitious, growing businesses. In large orgs, IT and security folks often huddle together (virtually, if not physically) in ivory towers where they never see or interact with actual business people, doing the actual work of the business, at the coalface with customers. This warps our perspective about what the real world is like, and what really matters. It’s how security teams get stuck in a FUD loop where their primary contribution becomes NaaS (No-as-a-Service). We all sometimes need to be reminded that security risk is not the only risk, and sometimes not even the most important risk, that a business faces.
So business leaders, be bold. Security and IT will figure out how to do things sustainably and securely. Don’t be prescriptive. But the why and what, i.e. the mandate and the scope for change, needs to come from you.