You didn't say where your firm is based, if it is a publicly traded firm or
privately held, what industry sector you are in or if it is a regulated
sector...
PLEASE don't try to sell your management the value of security as a ROI -- that
will always backfire at some point.
What your management has done, whether or not they realize or accept it and
whether or not you agree with it, is a business risk decision. They have
decided that the consequences of the risk are less costly to accept than the
efforts to mitigate those risks. The real question is whether or not they
fully understand the consequences, which brings us back to my opening sentence
-- are you subject to regulations, etc. that have consequences management does
not fully appreciate?
Show them that security is really part of the management and financial controls
of the organization -- forget about security as its own realm. Mind you, if
they aren't doing the other management and financial control aspects properly,
you've little hope of getting security into that realm to begin with.
Present the security risks in terms of business impact and risk mitigation --
for example, don't quote the cost of having a techie clean up some viruses --
as a security professional I find such stats boring and useless except when
trying to budget headcounts. Instead put it in terms of lost business and
revenue opportunities -- can your company afford to have its order taking
system down for more than a few hours? How much business would you lose if
customers couldn't contact you? What about the impact to customer satisfaction
ratings? Would you lose part of your customer base - and ultimately the
viability of the firm? Would you lose out on potential business opportunities
- for example, some firms will not deal with you if you haven't dealt with
these risks (think fo military or supplier contracts, for example)....
Bob
At 12/08/2004 11:43 AM, the_lonely star wrote:
Hi,
I'm trying to create interest in security at work. Everyone in the management
team thinks that software security can be dealt with by ignoring the
consequences. As a security professional, I'm totally against this and they
asked me to convince them that a global security policy is the holy grail.
To my own surprise, I haven't found (yet!) any sites that would give me good
pointers. We all know that security policies are needed but how do you
convince a team who couldn't care less about them? For them, that kind of
insurance is a waste of money and they'll just deal with them when it'll
happen.
The sans/FBI data don't really apply to us as we're not a big company. They
view those stats as pointless. In fact, I humbly have to agree too on that
part.
Anyone had similar real life experience and how could you manage to convice
them that working on a security policy is "real work" ?
The Lonely Star
_________________________________________________________________
Powerful Parental Controls Let your child discover the best the Internet has
to offer.
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
Start enjoying all the benefits of MSN® Premium right now and get the first
two months FREE*.
