KNOW before NO
A good friend told me an engaged information security professional leads with the KNOW instead of the NO. This comment struck me and has resonated well for the last several years. It has encouraged me to better understand the desires of the business areas in an attempt to avoid the perception of being the “no police”.
We can recognize the value in sprinkling information security concepts early and often into software development projects. This approach saves each stakeholder a lot of time and frustration, especially when compared to the opposite direction, which often causes the information security team to learn at the very last minute of a new high-profile project that is about to launch without the proper level of information security engagement.
Projects and initiatives may still warrant a “no” from an information security perspective. Before we go there by default, I respectfully invite all to KNOW before we NO. We can improve engagement with our respective business areas by considering this approach. In what areas can you KNOW before you NO next week?
I recently posted this article on the SANS Internet Storm Center.
Subscribe to our email list to get more cybersecurity content delivered to your Inbox!
Russell Eubanks