Let others define the security challenge to solve more problems

How a confrontation between the head of security and the head trader revealed the pathway to better solutions involves less assumptions and more questions

Even retelling the story, she was visibly upset.

After explaining to the head trader the importance of protecting sensitive information, Karen* (not her real name) was livid to find a copy of a complicated spreadsheet on a publicly facing drive (this is a decade ago, so the actually technology has changed a bit).

She decided it was time to take Kevin* (not his real name), the head trader, on and put an end to the constant security abuses. She stormed into his office with a printed copy of the spreadsheet and demanded to know why it was publicly available.

"It's no big deal," came his response.

That only angered her more. She dug in and started listing all the ways this could harm the trading -- and the profits -- of the company. She lit into him.

Then she asked, "What do you think would happen if a competitor got a copy of this?" She thought that would help him understand the impact. Instead, the answer was about to teach her.

"If they called, I'd give it to them," replied a slightly irritated Kevin.

"What?"

Kevin explained, "Look, a bunch of us get together every morning. We build the spreadsheet together. So if someone needed it, I'd just give it to them. And if I needed it, they'd give it to me. No big deal. "

Karen pressed for more details. She wasn't sure if Kevin was answering honestly or trying to anger her more.

"The spreadsheet isn't important. What I do with the information matters. I can give the spreadsheet away. It's really not important."

Not all information is what it seems

When Karen found the spreadsheet, she reviewed the information. What she found was clearly related to the trading floor. She then made an assumption that if the spreadsheet looked important, it needed to be protected. She saw a challenge where none existed.

Karen was wrong.

She learned an important lesson, too. When charged with protecting information, we can't possibly know the value of each element. In this case, what started as a confrontation ended as a collaboration and a better relationship for the future.

Changing the reputation of security

Always under the gun, security has an earned reputation of rapidly declaring the problem and solution. Often in the same breath. Many experiencing this form strong impressions of security as naysayer and react strongly to the perception of additional security barriers.

They aren't always wrong. Security needs to change the reputation.

First step, we have to stop telling people what we think the problem is. We have to take a deep breath and ask them to help us understand the challenge and what they're trying to get done.

It means we need to give them the structure and the opportunity to use their own words and experiences to educate us. Along the way, they can assign a value on the information and communicate it to us in a way we understand.

Avoid the confrontation, ask some questions

For Karen, the confrontation worked. It was a long time coming, and the approach matched Kevin's style. For them, it resulted in a better relationship. That was also a decade ago. Today, I'd skip the confrontation; people get the importance of security, even if they don't understand it or agree with specific actions.

Instead of confrontation, start with questions. Honest, direct questions. Use the opportunity to learn, to develop a deeper understanding of the business. More importantly, learn more about the people of the business.

Demonstrate a desire to learn how the process works. Confirm understanding with additional questions and continued conversation.

Provide value by applying the "Lens of Security"

With an understanding of the challenge, it's possible to apply our experience and the "lens of security." We can offer options to address the challenge and see what resonates.

If the solution is still filled with jargon or confusing, it presents an opportunity for a demonstration. Give people a glimpse of the experience and explore, together, how it might solve the challenge.

Letting others define the security challenge -- in their words -- often results in a better solution that is more readily adopted. Sometimes, it even increases business value, too, by solving additional problems while increasing security.

Start by asking a few questions and engage in conversations that change perceptions and provide better solutions. 

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.