Living in Washington DC, many of my friends and acquaintances work for the federal government in some capacity. And not all of these people are in IT. When you live in this area, politics seem to permeate everything, making House of Cards seem more like reality television than fiction.
I know a former congressional staff member and when we run into each other, inevitably our conversations turn to the current state of the federal government. It’s obligatory here, sort of like chatting about the weather anywhere else. Recently she made the point that recent problems with government shutdowns and standoffs could be attributed to one major problem: confusing compromise with capitulation. The government only works when both sides are willing to negotiate and unsophisticated, inexperienced politicians generally fail to differentiate between the two concepts, causing no end of problems.
I realized this is also a major problem with many information security professionals. At least 50% of our work is focused on discussing and negotiating risk. Does Operations really need to apply that emergency patch to all 2500 servers today to mitigate the latest threat? Is there an active exploit? What about the risk of service interruption? Can it be done in phases?
Often, our relationship to the organization turns into a WWE Main Event: Information Security vs. the Business. But like effective politicians (no, it’s not always an oxymoron), good security professionals pick their battles, living to fight another day. Compromise is not the same as capitulation and it doesn’t mean we’ve surrendered to the Dark Side when we work with the business to build reasonable timelines for remediating risk.