Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Create management interest?

from [jwtjudd] Network Security [Permanent Link]
Subject: Re: Create management interest?
Date: Fri, 13 Aug 2004 19:10:36 +0000 
Positioning is everything.  Ask your management how much they pay each year in 
liability insurance, bonding, etc.  That's what the security sale is going to 
be in your organization: insurance.  It may sound screwy, but consider:

They buy liability insurance to defray the costs of someone tripping on the 
threshold of the lobby door.  
They buy malpractice insurance to shield them from lawsuits.  
They buy auto insurance for company vehicles, though the odds are aginst one of 
your company's truck being involved in an accident.

Just my $.02.

Cheers,

JJ
--- Begin Message ---
Subject: Re: Create management interest?
Date: Fri, 13 Aug 2004 16:45:42 +0000 
Sounds like you have a tough road ahead, Star. You might want to start 
looking for another job in the meantime. ;-)

Does your company have HR policies? Vacation, sick day, termination, etc? 
If so, does management understand why those policies are important?

Does your management team consider business continuity important? If so, 
is there a documented plan detailing the precautions and procedures 
required to keep the business going in case of disaster? It's easy to tell 
which companies in the World Trade Center had disaster recovery plans in 
place, because those companies are still in business.

Does management understand the concept of a business plan, and that the 
plan should be documented prior to starting the business, and updated 
periodically as the business grows and/or changes? Surely they had a plan 
before they started the company. A security policy is no different. It 
should act as the road map for your security infrastructure. This, of 
course, means that you should have had a policy in place prior to building 
out your security program, but we all know how realistic THAT is.

In many cases, writing a security policy forces a company to examine 
itself and its processes in more detail than ever before. It should always 
reflect, and align with, the goals and objectives of the business and thus 
involve upper management intimately. I've found that many executives 
discover very interesting things about their business through this type of 
exercise, and often end up making changes that result in improved 
efficiencies and productivity as a result.

You have to position this as an "information" security, not IT security. 
Management doesn't care about information technology, but they should be 
very protective of their information assets. Trade secrets, customer data, 
confidential employee information such as names, addresses, social 
security numbers, bank accounts, etc. Often, it helps to remind people 
that infosec is in their best interest, even if they don't care about the 
company they work for. Identity theft is a bigger business than brokering 
trade secrets.

Just my two cents.

- Rich


 



"the_lonely star" <inploit@hotmail.com> 
08/12/2004 02:43 PM

To
security-management@securityfocus.com
cc

Subject
Create management interest?






Hi,

I'm trying to create interest in security at work. Everyone in the 
management team thinks that software security can be dealt with by 
ignoring 
the consequences. As a security professional, I'm totally against this and 

they asked me to convince them that a global security policy is the holy 
grail.

To my own surprise, I haven't found (yet!) any sites that would give me 
good 
pointers. We all know that security policies are needed but how do you 
convince a team who couldn't care less about them? For them, that kind of 
insurance is a waste of money and they'll just deal with them when it'll 
happen.

The sans/FBI data don't really apply to us as we're not a big company. 
They 
view those stats as pointless. In fact, I humbly have to agree too on that 

part.

Anyone had similar real life experience and how could you manage to 
convice 
them that working on a security policy is "real work" ?

The Lonely Star

_________________________________________________________________
Powerful Parental Controls Let your child discover the best the Internet 
has 
to offer. 
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
 

  Start enjoying all the benefits of MSN® Premium right now and get the 
first two months FREE*.

--- End Message ---
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Create management interest?, roger . smith
Next by Date:  RE: Create management interest?, Lozano, Jorge A
Previous by Thread:  RE: Create management interest?, Newcomb, Kelly
Next by Thread:  RE: Create management interest?, Lozano, Jorge A
Indexes:  [Date] [Thread] [Top] [All Lists]