Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Create management interest?

from [Cronican, John] Network Security [Permanent Link]
Subject: RE: Create management interest?
Date: Fri, 20 Aug 2004 10:33:27 -0700 
John,
I note the absence of the words:
        Risk
        Risk Tolerance
        Business Continuity
        Value Proposition
Security professionals are in the business of "Risk Reduction".  I hope
you will have fire-in-your-belly if you believe you are at risk.  You
note that others don't have fire-in-your-belly when you see a risk
situation.  There could be two (or more) reasons for their behavior.
        1. They don't understand the risk.
        2. They understand the risk and choose to accept the risk.
You must assess the situation.  
For the "They don't understand the risk" case, you are responsible to
identify and explain the business risk (ideally in $ terms) to your
employer.  You must present a value proposition for your recommended
action.  Make your case and you've done your job.
For the "They understand the risk and choose to accept the risk" case,
you confirm and document their understanding.  You've done your job.
In the latter case, relax and read "Atlas Shrugged" by Ayn Rand.
It's that simple.
John

John G. Cronican, Jr.
Sr. Infrastructure Technologist
iProtect Sempra Energy
Sempra Energy Corporate Center & Sempra Energy Utilities
10949 Technology Place
San Diego, CA  92127
(858) 613-5738 (Desk)
(619) 787-1906 (Cell)
(619) 978-2493 (Pager)

JCronican@sempra.com

-----Original Message-----
From: John Blackley [mailto:jblackley@sysmatrix.net]
Sent: Monday, August 16, 2004 12:42 PM
To: security-management@securityfocus.com
Subject: Re: Create management interest?


In-Reply-To: <BAY8-F107Ds01GijnlG0000320b@hotmail.com>

This is a situation that many security pracitioners find themselves in
and, to be honest, one that causes many people to leave the security
business.

The answers you've already had at this site are all good and provide
good insight to how others approach information security at their place
of business.

However, you haven't said how you're trying to create interest in
security at work. One thing that does trouble me is your reference to
".....the management team thinks that software security can be dealt
with........." If you are trying to create an interest in software
security then perhaps none of the already-provided advice may apply to
you. Also, your reference to your management's disbelief that creating
policy is "real work" - is there something they would rather you were
doing with your time?

It is our (security professionals) responsibility to understand how
information security applies to the business of our employers and to be
able to communicate that to our employers. If we do that to the best of
our ability and our employers choose to do nothing then we have carried
out our duty as best we can.

I would like to know more about how you're trying to create an interest.
Please either give more details here or write to me and once I know that
I'll be able to offer more help.


John A Blackley
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  FW: Risk Assessment Modeling, Schwartz, Richard M.
Next by Date:  Re: Risk Management software., Adrian Wiesmann
Previous by Thread:  Re: Create management interest?, John Blackley
Next by Thread:  Risk Management software., Jesper R
Indexes:  [Date] [Thread] [Top] [All Lists]