By Richard Rees, Security & Compliance Architect, VMware Professional Services
My post last week about the NSA and hybrid cloud I shared an important equation from the security world: Trust = Visibility + Control. In other words, if I’m going to trust a third party with my data assets, I need to have more visibility to make me comfortable with less control.
Today I want to highlight the different requirements that security, IT, and business have for building trust, and how improved visibility can help all three build a more successful working relationship.
Let’s start with security, the most risk-averse, and a mindset I have the best insight into. We know that business and IT are frustrated when we say no, but they need to understand our thought process. If security says “no,” and something bad happens, we get to say “I told you so.” If we say “no,” and nothing bad happens, we’re still ok. But every time we say “yes” we take a risk on getting burned. And we’ve been burned plenty before.
The business side has completely different requirements for trust. To them, risk is just the cost of doing business. You acquire a company, it doesn’t perform as you expected, you sell it off again. That’s that. Meanwhile, IT is somewhere in the middle, focused on efficiency and service delivery to the business.
When these different risk tolerances are competing (instead of collaborating), new problems arise, like the precipitous growth of “shadow IT” and the security problems it poses. Continue reading