Depends on who you ask, I suppose.
In my experience as a security professional I have seen some security organizations in big companies that were so well oiled that patches could be rolled out in a few days after release without any impact to the larger organization. I’ve also seen some that were virtually non-existent—victims of poor leadership or political agendas. Most programs I see fall somewhere in the middle of that continuum, but for the most part are not as functional as they could (should) be. Therefore, in those companies, information security is seen as an impediment to innovation and creative people find ways around them.
Imagine for a minute that you were a data center manager looking to boost your career with the next big revenue generating (or cost saving) initiative. You are looking at the high costs of power, cooling, and floor space and realize that you have allowed a data center to be built and operated only for peak times, and you are sitting at 70-90% idle for the most time. You start thinking about ways to change that idle time to dollars (legally). In every case, you are considering either reducing your footprint by converting parts of your IT services to a utility-based computing model, or by adding new products and services that could act as a lower tier in priority to your primary business.
Kind of sounds like a cloud initiative to me, what about you? My spidey sense is tingling…
If security was an enabler of innovation, they would be able to work with this data center manager to show him which parts of the data center could be migrated to a cloud system, or which physical infrastructure could be segmented to offer second tier computing services to other products or even third parties with minimal impact to the organization.
But in many cases, security professionals do not take this attitude, and would work to crush the initiative before it even starts. If the data center manager knows this is likely to happen, he will do whatever it takes to hide his actions until he is up and running, and potentially promoted. That is the kind of thing that might keep me up at night.
What I’d love to know is what stories YOU have? What examples do you have of security either enabling or impeding innovation? Leave them in the comments below!
Possibly Related Posts:
- Let’s Encrypt for non-webservers
- Ten Things Companies Get Wrong About CIAM
- Protect Yourself and Freeze Your Credit
- Selective Domain Filtering with Postfix and a SPAM Filtering Service
- Preventing Account Takeover, Enable MFA!