I had drafted a more cynical perspective but with much the same points as
Rich. Rich is dead on correct!
You have a tough job. Does management care about continuity? It isn't
just about keeping the bad guys out. It's about not letting ANYthing IT or
operational be unnacceptably vulnerable. You can't decide what is
acceptable...the stakeholders must do that and from that will come
pallatable policies. You can start with things like best practices but
security is ongoing and dynamic and very dependant on how your management
values it's assets. Guarding candy machines doesn't warrant the same
security measures as the data center.
I can suggest finding support for your mission within the sales groups and
high value groups that HATE downtime, bad info, late info, sabotage, theft
of info, misconfigured systems, untested software, etc..
I could never convince executive management with stats, reports, sermons or
prayers. It took a valued salesperson that lost money and finally saw the
value of my mission and believe me.....the executives couldn't dismiss it
anymore. Follow the $$$$. Those that can get hurt in the wallet will
support you better than FBI statistics.
In my more cynical version I suggested you look for a new job with a
company that cares. You are faced with changing the culture of an
organization. Large or small it is no easy task. Be patient, be diligent,
build consensus among the people with $$$ to lose. But, be prepared - when
the culture shifts in your favor - you may become overloaded with
responsibilities. Define your position carefully or you'll be writing
policy, enforcing policy, and securing the enterprise all by your
lonesome....an impossible task without proper resources and mission
definition.
Good Luck!
Rog -
Richard.Sullivan@
neupart.com
To
08/13/2004 10:25 "the_lonely star"
AM <inploit@hotmail.com>
cc
security-management@securityfocus.c
om
Subject
Re: Create management interest?
Sounds like you have a tough road ahead, Star. You might want to start
looking for another job in the meantime. ;-)
Does your company have HR policies? Vacation, sick day, termination, etc?
If so, does management understand why those policies are important?
Does your management team consider business continuity important? If so, is
there a documented plan detailing the precautions and procedures required
to keep the business going in case of disaster? It's easy to tell which
companies in the World Trade Center had disaster recovery plans in place,
because those companies are still in business.
Does management understand the concept of a business plan, and that the
plan should be documented prior to starting the business, and updated
periodically as the business grows and/or changes? Surely they had a plan
before they started the company. A security policy is no different. It
should act as the road map for your security infrastructure. This, of
course, means that you should have had a policy in place prior to building
out your security program, but we all know how realistic THAT is.
In many cases, writing a security policy forces a company to examine itself
and its processes in more detail than ever before. It should always
reflect, and align with, the goals and objectives of the business and thus
involve upper management intimately. I've found that many executives
discover very interesting things about their business through this type of
exercise, and often end up making changes that result in improved
efficiencies and productivity as a result.
You have to position this as an "information" security, not IT security.
Management doesn't care about information technology, but they should be
very protective of their information assets. Trade secrets, customer data,
confidential employee information such as names, addresses, social security
numbers, bank accounts, etc. Often, it helps to remind people that infosec
is in their best interest, even if they don't care about the company they
work for. Identity theft is a bigger business than brokering trade secrets.
Just my two cents.
- Rich
"the_lonely star"
<inploit@hotmail.com>
To
08/12/2004 02:43 PM security-management@secu
rityfocus.com
cc
Subject
Create management
interest?
Hi,
I'm trying to create interest in security at work. Everyone in the
management team thinks that software security can be dealt with by ignoring
the consequences. As a security professional, I'm totally against this and
they asked me to convince them that a global security policy is the holy
grail.
To my own surprise, I haven't found (yet!) any sites that would give me
good
pointers. We all know that security policies are needed but how do you
convince a team who couldn't care less about them? For them, that kind of
insurance is a waste of money and they'll just deal with them when it'll
happen.
The sans/FBI data don't really apply to us as we're not a big company. They
view those stats as pointless. In fact, I humbly have to agree too on that
part.
Anyone had similar real life experience and how could you manage to convice
them that working on a security policy is "real work" ?
The Lonely Star
_________________________________________________________________
Powerful Parental Controls Let your child discover the best the Internet
has
to offer.
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
Start enjoying all the benefits of MSN® Premium right now and get the
first two months FREE*.
DISCLAIMER:
This communication may contain privileged and/or confidential
information and is intended only for the use of the individual or
entity to whom it is addressed. No waiver of confidentiality or
privilege is made by mistransmission. If the reader of this
message is not the intended recipient, you are hereby notified
that any unauthorized dissemination, distribution, reading,
printing, copying and/or use of this communication is strictly
prohibited. If you have received this communication in error,
please immediately notify the sender by return e-mail and delete
this message from your system as well as destroy any paper
copies made. Calyon Financial makes no representation or
warranty regarding the correctness of any information contained
herein, or the appropriateness of any transaction for any person.
Nothing herein shall be construed as a recommendation to buy or
sell any financial instrument or security.
