« Do You Need a Security Department? | Main | Security B-Sides Needs Your Support »

On "Responsibility Without Authority"

Continuing my line of thinking from my previous post, "Do You Need a Security Department?", I wanted to speak to this notion of having responsibility without authority. It seems to be a problem common to many security people in their respective organizations, and it perplexes me greatly.

Traditionally, the response to this problem has been to undertake building a security organization that could essentially assert authority over key areas (access management, risk management, audit/testing, logging and monitoring, incident response, etc.). This approach made sense because most orgs were (are?) rife with people who simply do not "get" security. Rather than undertake a massive educational effort alone, which would take time and extend exposure, it instead made sense to just take ownership of these areas to ensure that the "right things" were done.

Today, however - and really the underlying point of my post - is that this may not necessarily be the best approach today. It will absolutely depend on the organization, no doubt about it. And I'm not saying you cannot or should not continue with the traditional approach. However, it bears consideration whether or not it is optimal and effective to grab authority rather than to simply make sure that the responsibility itself is properly placed.

If you think about it, security likely should not be truly responsible for much of anything. This whole "responsibility without authority" scenario is, in fact, a grave injustice that enables bad behavior; specifically, behavior where people deflect responsibility inappropriately. Culturally, this seems to jive with a larger issue (reminds me of Douglas Adams' "SEP field generator" concept). If you don't have to own your actions, then you don't have to act responsibly or appropriately. Requirements without consequences for failing to conform are worthless.

In the end, I'm increasingly inclined to believe that the reason we are where we are in this industry is because we in security roles have taken on too much responsibility. It's time to stop enabling bad behavior.

TrackBack

TrackBack URL for this entry:
http://www.secureconsulting.net/MT/mt-tb.cgi/915

Listed below are links to weblogs that reference On "Responsibility Without Authority":

» How NOT To Build a Security Program from The Falcon's View
Andy Willingham (Andy ITGuy, @andywillingham) had a post up early this week titled "Building a security program from the ground up". It's an interesting read, though a bit on the naive side. Having just come out of an environment where... [Read More]

Comments (1)

CG:

"However, it bears consideration whether or not it is optimal and effective to grab authority rather than to simply make sure that the responsibility itself is properly placed."

exactly!

i think you hit on the true underlying problem. if people did their job correctly AND securely in the first place there would be little for a security team to do (maybe thats a stretch...but certainly less)

Post a comment

About

This page contains a single entry from the blog posted on July 16, 2009 12:06 PM.

The previous post in this blog was Do You Need a Security Department?.

The next post in this blog is Security B-Sides Needs Your Support.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.