Continuing my line of thinking from my previous post, "Do You Need a Security Department?", I wanted to speak to this notion of having responsibility without authority. It seems to be a problem common to many security people in their respective organizations, and it perplexes me greatly.
Traditionally, the response to this problem has been to undertake building a security organization that could essentially assert authority over key areas (access management, risk management, audit/testing, logging and monitoring, incident response, etc.). This approach made sense because most orgs were (are?) rife with people who simply do not "get" security. Rather than undertake a massive educational effort alone, which would take time and extend exposure, it instead made sense to just take ownership of these areas to ensure that the "right things" were done.
Today, however - and really the underlying point of my post - is that this may not necessarily be the best approach today. It will absolutely depend on the organization, no doubt about it. And I'm not saying you cannot or should not continue with the traditional approach. However, it bears consideration whether or not it is optimal and effective to grab authority rather than to simply make sure that the responsibility itself is properly placed.
If you think about it, security likely should not be truly responsible for much of anything. This whole "responsibility without authority" scenario is, in fact, a grave injustice that enables bad behavior; specifically, behavior where people deflect responsibility inappropriately. Culturally, this seems to jive with a larger issue (reminds me of Douglas Adams' "SEP field generator" concept). If you don't have to own your actions, then you don't have to act responsibly or appropriately. Requirements without consequences for failing to conform are worthless.
In the end, I'm increasingly inclined to believe that the reason we are where we are in this industry is because we in security roles have taken on too much responsibility. It's time to stop enabling bad behavior.
"However, it bears consideration whether or not it is optimal and effective to grab authority rather than to simply make sure that the responsibility itself is properly placed."
exactly!
i think you hit on the true underlying problem. if people did their job correctly AND securely in the first place there would be little for a security team to do (maybe thats a stretch...but certainly less)