…Love you Joe Dirt!
As Security and IAM professionals, unfortunately we have to say no a lot. Not out of malice or intent, but because we need to ensure the protection of data and organizations. Doing that though comes with an adverse effect. People will be less apt to engage security and IAM if they feel they are constantly being hampered in getting their job done, which in turn, leads to more shadow IT and lack of security and IAM controls. I have this conversation with colleagues a lot when coaching and there are ways to achieve the mission while allowing people to feel empowered, engaged, and enabled to do what they need to get done.
To start, I’m a firm believer that when people engage, have ideas, etc. they want to do it ‘the right way’ which is why they are asking for permission and/or help. In that desire, they are bring an idea forward and as such should not be discouraged or hampered, but should be fostered and supported. In those instances where you know something is risky or outside of policy, the first response should not be no, but should be why. For instance, I was asked recently to reduce password complexity for the environment given a particular application was ‘semi-public’. But, what the requester did not understand was that the application was actually integrated with their core directory services which did protect other sensitive information. And, ultimately, the requester just wanted to make it easier / less clicks to get into the application given the non-sensitive nature of it. So, rather than just saying no, I worked with them and enumerated that the target application supported OIDC and could easily be integrated with the core SSO platform and integrated authentication. This achieved the user’s goal, and by extension, the IAM / security goal since it enabled strong authentication for an internal application.
Why is this important? Ultimately we want users to follow policy and want them to engage us in support of their missions. And to do so, we need them to come and work with us. To ensure this, when you do get requests or get engaged with projects, be sure to focus on a few things:
- What is the ultimate goal, is it easy access, usability, etc.? Work with the requester to understand why they need something or are submitting the request.
- Look at options to achieve the goal while following process and policy. I’m a firm believer that there is always a solution (just a matter of time, opportunity, and money) so think outside the box and try to find a solution.
- Offer options and explain the benefits and/or challenges or each to the user. Given available options, user will identify which works best for them and ultimately be more appreciative that you are helping, not hampering, them.
- DO NOT SAY NO! More appropriate, say ‘we cannot do it this way, but here are options to achieve what you are looking to get done.’
Ultimately, with this approach, you’ll be engaged a lot more by your organization given you are offering solutions, not road blocks. By extension, this supports the security and Identity mission through increased protection and integration with IAM components.
