Any suggestions to help get the security ball rolling in an enterprise? I am a network engineer, who just happens to be the only one concerned with security. Therefore, I have to try to fit security issues in between my true responsibilities. Also, our company historically refuses to acknowledge issues until they bite us in the butt. I don't want any more scars this way and am trying to become proactive, however my immediate boss ignores pretty much everything I tell her. My theory is that she is afraid that by bringing up these issues, it might look like we aren't doing our jobs correctly. So where do I start? I feel that I need to go above her, but I fear for my job. Yet I am conscientious enough that I know the consequences could be disastrous if we don't start doing something now. I also don't want to implement my own security without any policies to guide and protect me. Where does a poor soul go in an environment like this? A new company?
You are in a tough situation, but you are certainly not the only one. If you would like a policy to guide your actions, develop one. Send it to your boss for review and if it doesn't get past that point, you at least have a baseline of standards for you to follow and point to if something happens. As for implementing security and voicing your concerns, it is a very fine line between being effective and being an annoyance. One thing I have found that works well is to point out what can happen if something is implemented insecurely. For example, if the company wants to put an unpatched IIS server on the Internet, explain what can easily happen, what information could be destroyed or made public, etc. Basically, you just need to frame your presentation in a way that makes security important to management. Usually, though, the most effective means is a security incident, such as Code Red or Nimda. Most managers do not understand security and find it is just costly insurance -- something they feel they can do without until proven otherwise. You can always ensure you implement your projects securely, so at least you have a start.
Going over your manager's head can have disasterous results, depending on your organization's culture. If you truly fear you would lose your job (and you do not want to), I would use this as a last resort. I would document everything, though, and have your manager (or whoever says no to your security recommendations) sign a document that discusses the risks of implementing the server/application in the manner agreed upon and that they accept those risks.
For more information on this topic, visit these other SearchSecurity.com resources:
Executive Security Briefing: Selling security to upper management
Ask the Expert: Whether to stay with an employer that doesn't support security training
News & Analysis: Quantifying security ROI a heft challenge for IT
This was first published in September 2002