The single best IT security approach I have seen was (paraphrased):
- IT Security is not allowed to say "No" to Business.
It was like the "Yes and.." drama game.
IT Security had to accept that business had a need to do a thing. That people didn't just think up dumb shit to do, despite appearances.
And it was Security's job to help to enable that thing rather than simply saying "No". Of course, they might end up saying no to a particular process, but then they had to work with the Business for a better process that both sides were happy with. A rebalancing of the tradeoffs regarding speed and security, which can often sacrifice very little speed in the IT world.
It meant that any project or even simple day to day stuff could be run past IT Security with no fear. It helped of course that IT Security employed sociable helpful people too.
- IT Security is not allowed to say "No" to Business.
It was like the "Yes and.." drama game.
IT Security had to accept that business had a need to do a thing. That people didn't just think up dumb shit to do, despite appearances.
And it was Security's job to help to enable that thing rather than simply saying "No". Of course, they might end up saying no to a particular process, but then they had to work with the Business for a better process that both sides were happy with. A rebalancing of the tradeoffs regarding speed and security, which can often sacrifice very little speed in the IT world.
It meant that any project or even simple day to day stuff could be run past IT Security with no fear. It helped of course that IT Security employed sociable helpful people too.