Web security is complicated enough. Adding a healthy dose of politics, like what exists in most organizations, often proves to be more than IT professionals can handle. Most problems in life are either financial, health, or people-related. It’s the people part of the equation in business that creates a lot of complex – often unsolvable – problems with web security.

As an outsider, I see how the political dynamic shapes where things stand with website security at any given time. There are hidden agendas, power struggles, and the other behaviors that hold people and businesses back. One of the core principles of web security is control. Controlling the source code. Controlling who has access to what functionality and information. Controlling how long the system stays up and running. Controlling the response when things go awry. Interestingly, varying types of human control (i.e. politics) play a role in whether or not these security controls get implemented and whether they’re enforced and effective enough to keep the web environment intact.

As a business executive, politics is a key part of your role. There’s no getting rid of it but you do need to manage it. You simply cannot afford to sit back and watch nonsensical politics get in the way of web security and end up defining the level of business risk that’s tolerated in your organization. Be it web security funding, awareness and training, technology implementation, or something as seemingly benign as who performs your web security assessments – all of these things determine how secure your web environment is. It’s usually a small number of people who control the reigns. It’s the 80/20 Rule:  80 percent of the decisions (some good, many bad) are being made by 20 percent of the people working with web security – oftentimes people who shouldn’t be involved in the security decision-making process at all.

Politics, as defined by Ambrose Bierce, is a strife of interests masquerading as a contest of principles. The conduct of public affairs for private advantage. We see these far reaching effects in the context of web security on a daily basis. Another fitting theory is what Greek statesman Pericles said: Just because you do not take an interest in politics doesn’t mean politics won’t take an interest in you.

Balancing the complexities of web and information security is hard work. The last thing your team and your business need is a few rotten apples spoiling it all. You’re the leader and the influencer. If you see that politics is steering your web security program in the wrong direction, take control of the wheel. Everything you do (or don’t do) in this regard will ultimately determine your business’s success with web security.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.