No CSO has "veto power" explicitly stated in his job description. But security is one of the few things other than money that can bring a project to a screeching halt.
Are there circumstances where a security veto should be wielded? And what are the hidden costs of a security veto?
Clearly there are circumstances where security overrides business utility: "No, you can't load 200,000 of our customers' credit cards onto your son's iPod for testing purposes!" Such situations are usually just a matter of policy and compliance.
A real veto is where there is a strong business case for the use of a technology, strategy or application and it is overridden because of an overwhelming risk. And very rarely is there no technology, process or control to mitigate the risk.
Perhaps then, the use of a security veto is an indication of either an insufficient "return on risk" or an insufficient security investment. In the former situation, we are making a wise business decision. In the latter, we are merely hiding a bad decision behind the unassailable excuse of security.
To determine which it is, we have to assess not only the risk and the cost to secure it, but also the opportunity cost — the potential upside of taking the risk.
This evaluation becomes very relevant when we are looking at new, innovative and untested technologies or applications. With new technologies it is hard to evaluate potential risks, and there may not be any well-established controls or countermeasures. It is even harder to foresee the potential upside of new technologies. Technology will be applied in unanticipated ways, yielding unanticipated benefits.
It is precisely these risks that have the potential for the biggest competitive advantage and return. And it seems it is precisely these risks that are subject to veto.
I had the opportunity to benchmark this observation during my recent security research. Fully two-thirds of the responding companies had decided against using a technology or service because of security concerns. Many were forgoing investments in collaborative tools (instant messaging, wikis and so forth).
Our research shows these tools can have a direct impact on top-line performance, when used by sales, for example. Insufficient investment in security can therefore lead to competitive disadvantage. When we wield the security veto, we must consider the cost of a missed opportunity. With sensible, controlled risk comes reward.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.