Sounds like you have a tough road ahead, Star. You might want to start
looking for another job in the meantime. ;-)
Does your company have HR policies? Vacation, sick day, termination, etc?
If so, does management understand why those policies are important?
Does your management team consider business continuity important? If so,
is there a documented plan detailing the precautions and procedures
required to keep the business going in case of disaster? It's easy to tell
which companies in the World Trade Center had disaster recovery plans in
place, because those companies are still in business.
Does management understand the concept of a business plan, and that the
plan should be documented prior to starting the business, and updated
periodically as the business grows and/or changes? Surely they had a plan
before they started the company. A security policy is no different. It
should act as the road map for your security infrastructure. This, of
course, means that you should have had a policy in place prior to building
out your security program, but we all know how realistic THAT is.
In many cases, writing a security policy forces a company to examine
itself and its processes in more detail than ever before. It should always
reflect, and align with, the goals and objectives of the business and thus
involve upper management intimately. I've found that many executives
discover very interesting things about their business through this type of
exercise, and often end up making changes that result in improved
efficiencies and productivity as a result.
You have to position this as an "information" security, not IT security.
Management doesn't care about information technology, but they should be
very protective of their information assets. Trade secrets, customer data,
confidential employee information such as names, addresses, social
security numbers, bank accounts, etc. Often, it helps to remind people
that infosec is in their best interest, even if they don't care about the
company they work for. Identity theft is a bigger business than brokering
trade secrets.
Just my two cents.
- Rich
"the_lonely star" <inploit@hotmail.com>
08/12/2004 02:43 PM
To
security-management@securityfocus.com
cc
Subject
Create management interest?
Hi,
I'm trying to create interest in security at work. Everyone in the
management team thinks that software security can be dealt with by
ignoring
the consequences. As a security professional, I'm totally against this and
they asked me to convince them that a global security policy is the holy
grail.
To my own surprise, I haven't found (yet!) any sites that would give me
good
pointers. We all know that security policies are needed but how do you
convince a team who couldn't care less about them? For them, that kind of
insurance is a waste of money and they'll just deal with them when it'll
happen.
The sans/FBI data don't really apply to us as we're not a big company.
They
view those stats as pointless. In fact, I humbly have to agree too on that
part.
Anyone had similar real life experience and how could you manage to
convice
them that working on a security policy is "real work" ?
The Lonely Star
_________________________________________________________________
Powerful Parental Controls Let your child discover the best the Internet
has
to offer.
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
Start enjoying all the benefits of MSN® Premium right now and get the
first two months FREE*.
