[Dave Birch]In talking about innovation over the last months we have also from time to time mentioned barriers to innovation. In places, I have mad a mental note to look again at some areas where the barriers are being erected by the very same organisations that want to increase innovation. A perfect example of this came my way when James Gardner wrote on the topic of security. This is a great case study, because of the tension between the security department (if one exists) and the innovation department (if one exists). James Gardner sets out a banker's perception of the security guys
I shut my mouth at this point, knowing I was speaking with that most invidious of creatures, the professional security specialist. You know the type: they spend all their days dreaming up the reasons you can't do something, rather than helping you find out how you can. Theirs is the right to kill any change for any reason, so long as it is related to a "potential security issue".
[From BankerVision: Does the business case for IT Security stack up?]
Surely the security department must have function other than blocking innovation? Like, for example, improving security. But actually, this is not so clear cut. In some organisations, the function of the security department is more about ensuring compliance, making sure that the right boxes have been ticked, because that is what they are paid and bonused on. They don't get a bonus if no security breaches are detected, or new customers are signed up, or if new products are delivered.
So the recent assertion from IT security chiefs at certain high-profile UK organisations that their primary concern was actually ensuring compliance with regulations such as the Sarbanes-Oxley Act and Payment Card Industry (PCI) standards may come as a surprise.
[From Security is built on compliance - WhatPC?]
I don't want to talk about whether compliance improves security or not, that's a different issue, but whether security is a genuine block on innovation, whether is isn't but is perceived to be, or whether it doesn't make any difference to the organisation.