What if? What if instead of business people being told to justify their plans to security, security had to advise the business regarding the operational impact of their new patches, firewall rules, badging policies, etc?
What if instead of a security audit for operations, there were an operations audit for security?
What if the business people had the last word? Security would make their case for new restrictions on information flow, advising on the risk rather than deciding to avoid it. Business then, advised of the risk, can decide upon avoidance, mitigation, or acceptance based on the effect on operations.
What if the relationship between Operations and Security were reversed?
I’d like to see what would happen…