Published: 24 Jun 2005
I've stopped sugarcoating one particular piece of bad news: If your organization doesn't take security seriously, there's probably nothing you can do about it.
But how can you tell if your expectations are too high, or if your employer is a front-page news story waiting to happen?
Enterprises that have the potential to be serious about security first need to be serious about risk management. Security practitioners have an easy time when the organization has a specific risk management framework, which includes consistent assessment methods, a shared vocabulary and an ongoing risk-reporting system. These elements engender a risk culture that has enough momentum to maintain consistency in spite of personnel changes. It's an environment in which security managers can flourish.
If your company doesn't have such a culture, you ain't gonna talk the board of directors into creating one. It's that simple. Excellence rolls downhill—it's not something that can be created at the grassroots level. If the combined influence of government regulations and scandal-hungry media haven't already motivated your executives to comprehensively manage risk, why do you think you—the security manager—can change their priorities?
Many security managers have found themselves working at companies that have, consciously or subconsciously, decided to just muddle along. Realistic organizations accept that security failures will happen and pray that they don't; cynical organizations often appoint a CISO as a powerless figurehead.
In either case, what do you do? Your choices are to make the best of it, to hope for change or to leave.
If you're going to make the best of it, thoroughly document your security concerns to at least partially cover yourself. This doesn't mean creating a huge document citing every hypothetical possibility, but precisely identifying the most likely failure scenarios and detailing mitigation recommendations. You should be firm about presenting your ideas, but don't be a pest; just make the effort.
If you think change is possible, it will almost certainly wait until some significant event occurs. You do have the ability to actually create a security incident—it's called penetration testing. If the company wants to avoid security failure, hiring a consultant to prove that its defenses are inadequate can sometimes provide compelling evidence for change.
If you think it over and decide that your organization is a security disaster waiting to happen, you should consider leaving. Do you want an incident to happen on your watch? Worse, do you want to be blamed for it? If you are a figurehead today, will you be a scapegoat tomorrow?
I can't tell you if your expectations are too high, but hopefully this will help you decide if your organization's commitment is too low. Whatever you decide, be professional about it, and don't air your company's dirty laundry in public.
The good news is that companies around the world are getting continually better at managing security risks. Wherever you are, keep learning and honing your skills. If the situation is beyond repair, start looking for a new employer that will appreciates your talent.