Ask any IT professional: users and management consider the IT department to be the "no-can-do team." I have witnessed this many times. For example: a project leader, believing the "no-can-do" attitude exists, does not involve the IT department’s security personnel until the project is nearly finished. When the security team becomes involved, they prevent the project from moving forward until they are satisfied the digital components do not put the company at risk. It’s a move that, although well intentioned, never sits well with upper management.
Brian Honan, an independent security expert and founder of BH Consulting recently wrote about this in the post: "How to Build Trust Between Business and IT." I asked him a few questions on how relations between corporate management and the IT department can be improved. Honan said, "To combat the lack of trust, the security team needs to be more proactive in how they work with corporate. Security should not stop a business from working or developing new initiatives, security should enable the business to achieve their goals, but in a secure manner."
Here we’ll take a look at some of the ways that corporate and IT departments can learn to get along again.
Communication Leads to Trust
Building trust requires good communication. That seems simple enough, but the problem is that business leaders tend see IT security as a bit of a nuisance. Sure, it’s important, but it’s also inconvenient and expensive. How does the IT department become more proactive? Honan feels that trust will only come if a concerted effort is made to improve inter-departmental communications. So that’s the first step.
"Regularly meeting with senior management within other departments to see what their challenges are could enable the IT department to identify ways to meet those challenges while also gaining an ally in the boardroom," Honan said.
An example suggested by Honan might be how a discussion with the head of sales could highlight the challenges her team has accessing client-management systems. If, as a result of this information, the IT department can proactively identify a secure way to enable the sales team to do this, it could positively impact the company’s bottom line, and help improve trust.
Get Rid of Negative Perception
Getting rid of the "no-can-do" stigma can go a long way toward building trust.
"Security people need to engage their peers more often. This can be going to lunch or coffee with a colleague, discussing what their work day is like, and what challenges they may have," Honan said.
That allows the employee in the security department to identify potential spots where the IT department might help improve business processes while keeping them secure. Honan provided an example where he helped a client do just that, but with a unique twist.
"I worked with a client where we ran a number of workshops at lunchtime providing employees with information on how to keep their children safe while online," Honan said. "Besides learning how to keep their kids safe, the staff began applying the same principles at work."
Honan said there was an added benefit to engaging the client’s employees — employees began visiting the IT department, asking security personnel for advice regarding their computers at home and work — another sign of improved trust.
Stop Using Geek-Speak
The next hurdle Honan mentioned was getting IT personnel to use familiar terms, and avoid acronyms, jargon and other "geek speak." I asked Honan how one manages technical discussions using non-technical language.
"Use analogies," Honan said. "They can help explain complex technical situations to non-technical people. For example, when we think of brakes on a car, we think they are there to stop the car. This is true, but if we view it another way, brakes on a car help it go fast. If there were no brakes on a car, we would have to drive very slowly and carefully to avoid obstacles and accidents. The same should be true for security. Security should not stop the business but enable it to progress faster and safer."
Another way to communicate is in terms of risk. Business people understand risk and what it means, so communicating in those terms helps. (Learn some geek speak in 10 Tech Acronyms You Must Know.)
Stop Crying Wolf
Corporate has more on their plates than just IT concerns, such as the continued success of the business. What that means is that corporate looks at issues with respect to the bottom line, what action is needed, and quite frankly, whether it is worth bothering with or not.
"If we [IT staff] run to senior management claiming every threat and issue is a top priority, we will quickly be viewed as the boy who cried wolf all the time."
Honan stressed that the best way to present information is in terms of risk that will be understood by corporate management.