Is Security Stifling Innovation?


This is a topic that has been on my mind for a long time and now seems the right time to discuss it. I have been in many meetings with clients, mostly business people that want to implement a new business strategy, only to find that desire impaired by security or regulatory concerns. I work for an auditing company so I understand, and appreciate, the need for auditing, but when I hear that companies are not doing certain projects to keep themselves competitive, it makes me nervous. I'd hate to have to conclude that we have become a nation that lets security and regulations drive our innovation.


I want to turn your attention to a survey conducted by IDC and funded by the RSA, where 61 percent of the respondents indicated that they are control or compliance driven. Conversely, 21 percent said they considered security in their organizations to be business aligned.


It upsets me to no end when I hear that IT has become an impediment to a company doing business. The job of IT and security professionals is to help guide our business partners. I hear the word "no" way too many times in meetings when business people ask about certain technologies, such as Web 2.0.


Now in all fairness, we can't blame it all on the security people. There are many times when security has become an afterthought. According to the study, the three consequences of excluding security early in the process include:


An innovative project fails because of poor information access.


Information security risks associated with innovation initiatives are too high because security was not brought into the process.


Slower time to market and higher costs result when security needs to be bolted on as an afterthought.


As in everything else in life, we need a balance. In this case, we're looking for a balance of innovation, regulation, risks and costs. Security should become the conduit through which IT strikes this balance by explaining to the business partners, in plain English, the risks and costs of projects. Instead of being impediments, IT security professionals need to be the innovators.