The reason of having IT department is to provide IT-based solutions to the business. And in turn, Information Technology groups follow a project-based methodology to bring these IT solutions to the business.
The theoretical approach consists of linking the risk management methodology in place in the organisation with the project management methodology used in-house. This recommendation sounds logical and appropriate. However, it is not sufficient: Reality tells that nowadays the provision of IT solutions needs to be agile and to accommodate customers’ business needs in a fast and changing manner.
Realistically, the triadic mantra for an IT project is to provide the IT delivery on time, on budget and with a required quality. IT security can only slightly change the direction of a project and improve a little bit this project triad. The earlier IT security works with the project team, the greater its influence will be. Its not just that, IT Provides Solutions to the Business. But, these days IT need to provide Secure Solutions to the Business.
Business is in business is not just to do business, but to do it in a secured way.
In most organisations, IT and IT security are only support areas, not core business areas. Management boards tend to consider IT and IT security as any other support function: An important function, certainly, maybe essential, but not the core of the business.
Making business is taking risks: IT security needs to provide business makers with a clear risk description so that they can make informed risk-related decisions.
More often than desired, security acts as the obstacle for the business to run risks, some of them even unknown to the decision-makers. The ultimate role of IT security is to inform the owner of the business of IT risks run by the organisation.
IT security professionals should forget the sentence “you cannot do it, it is very insecure” and change it for “we will do it in a more secure way”.
The 100% secure IT system is the one that is off and buried in a block of concrete. However, that system is of no use to the business. The IT security team provide advice on how to deliver the functionality demanded by the business, and not on how to prevent the business from getting their idea materialised.
The business will implement their idea anyway. Therefore, it is better for the organisation (and for the team) that they do it with the IT security team, rather than in a totally uncontrolled manner.