First off, I must apologize for the long email but Brad wanted details
about how we overcome the challenges in our organization. Here are my
examples which have had incredible results.
I agree with most of what the list has to say regarding the challenges.
The C level doesn't want to understand anything other than Security is
pure cost and not a business generator. I think Brad had a great
follow-up question though and that was "What have you done to overcome
these challenges." I'll address a few changes we have made and
techniques that have launched us onto the Boardroom floor.
1. Make security a business generator. We've talked the talk but until
you spend a few days with the business, you just don't know what goes on
outside of the IT facility. Get your name and face in front of those
guys that are generating revenue, find out what his needs are and figure
out how you can help. In our case, I went with sales staff, I rode with
a driver, I went to a sort facility, and I sat at the call center. What
I found would be the best business generator was security certifications
for the sales staff to boast about. In today's security conscious world
(used loosely), companies want to ensure they are working with secure
companies (whether or not they themselves are). Find out what contracts
your company may be missing out on due to something security related
from your sales force. I could go on but you get the point. Be a
business generator.
2. Quit being the Security Religion Fundamentalist. Yea the world would
be a safer place and nobody would ride in the back of pickup trucks or
ride skateboards without helmets but those are "Best Practice" examples.
In the real world, we use risk assessments. Base your security decisions
on Baseline Security levels and raise the level of security as the risk
level is raised. Show your managers and C level personnel that your
decisions are cost effective and based on the risk to the company and
not on a Security Bible for best practices. Show best practices and what
you "feel" is best for the company and show the cost savings. It will
raise eyebrows as you are now a team player and are willing to negotiate
to help the business. However, when you stand firm on issues that create
a large risk to the company, they will understand and follow. Call it
negotiation or social engineering. If you are in this business, you need
this talent to make things happen.
3. Social engineering is your friend. Awareness training is great but
it's funny how you never see your C level or board members in the
training room. FIND a reason to get in front of them for a business
reason and then talk security. Better yet, GET TO THEIR ADMINS. Once you
have the ear of their admins and explain some critical security flaws
that would expose their boss or his information, you are in. They are
extremely loyal people and will do anything to protect their boss, and
thus themselves. Start the conversation about something important to
them and work around to what you want to get in front of their boss. I
have many examples but this is getting too long already. I'll send some
as requested. We have hard disk encryption because of this method.
4. Many companies are 'Incident Based" when it comes to security
spending. If there is an incident, (and you know there will be) be
prepared in advance to be "Johnny (or Janie) on the spot" with a
solution and get what you can at that point. Once the iron cools, they
forget about the incident and what got them there in the first place.
Have your contingency plans in place to include new procedures and
products that will not only mitigate the existing circumstance but
prevent it next time. Educate the person signing the Purchase agreement.
5. Lastly, ensure your Security Manager, CISO, CSO, or whatever your
leader is called this week has some perceived value to the organization.
They may be the smartest security person on the planet but if they have
no "perceived management value" amongst his peer group of managers or
other C level folks, he won't get 5 minutes in front of them. Ensure
this leader is effective. You need a true "manager" to make this all
work. If you or your organization feel your Security Manager is an
idiot, he/she will be totally ineffective.
I have seen amazing improvement to overcome almost all of the obstacles
mentioned in the volley of emails to this thread. In 2005, every
security project we had projected for budget was killed before the
budget was cut. In 2006, security will receive 1/3 of the projected
budget. Our staff has gone from 4 to 27. This stuff works folks.
Especially point 5.
So to sum it up, Get a good leader, base decisions on risk, and show
security as a business generator. The social engineering tip is not
critical but it definitely works. I could add another 5 paragraphs but
this is already way longer than I would sit and read. I hopes this
helps.
Best Regards,
Steven R. Allison, CISSP
Information Security Manager, Americas Region
DHL Express
8701 E. Hartford Dr.
Scottsdale, AZ. 85255
Phone: 480-375-6490
Cellular: 480-226-2495
FAX: 480-375-7039
Steven.Allison@dhl.com
"You have enemies? Good. That means you have stood up for something,
sometime in your life."
- Winston Churchill
