The
SANS Institute lists the most common mistakes made by
Senior Executives
In an effort to provide some assistance with addressing these mistakes; I’m going to take you through each mistake and provide you with some perspectives that may help your next business case presentation to Senior Management.
In the physical world people will tell you that there are two sides to every story. In the computer world this tenet often holds true as well. There is a propensity for IT security to be viewed as a cost center by business and IT security can lose sight of their reason for existence; the day to day business (the rare exceptions of course are security companies). A balance between the two must be met in order to effectively run a business in a secure fashion. Once this balance is achieved business will feel that there is value in their budget spending on security and security will sleep better at night knowing that they are protecting business.
1. Assigning Untrained People to Maintain Security
When budgets get tight training is one of the first line items to disappear. If training is at a minimum; do your research and ensure that the courses that you are submitting for approval are courses that are the most relevant to your job and provide you with the most knowledge for your dollar. If training is at a standstill, encourage senior management to allow junior members of the team to mentor with senior members of the team. It is simply amazing how much information is passed on by the experience of others. Mentoring doesn’t cost an organization hard dollars and in times of budget constraints; this may get approval. The ultimate question to Senior Executives is “Would you let me be your dentist?” The same reasons that they cite for not letting you work on their teeth are the same reasons that they should not expect you to run critical security services without adequate training.
2. Failing to Understand the Relationship of Information Security to the Business Problem
This is a difficult issue to address. Physical security is something that we have accepted as a slow adjustment over a span of years. Electronic security moves very fast and is still a relatively new concept for many people. The best approach is education. Much in the same way you educate end users to safe computing; you must educate senior executives about the consequences of poor information security. If you make your education applicable to the industry in which your business operates; you will deliver a much more effective message. For example; most business executives can easily see the cost associated with the loss of data about a new product line, merger, or proposal.
3. Failing to Deal with the Operational Aspects of Security
Unfortunately the operational aspects of security are sometimes like an insurance policy; you don’t like the cost of it until the time that you need it. This is a time when value for dollar spent can really help build your case. Operationalizing security will allow for more efficient use of time and resources. If operationalizing security allows junior staff to perform tasks senior members are currently doing; there is a direct dollar benefit to the company. If the security team is small it can allow the team to be more efficient and efficiency equates to money saved.
4. Relying Primarily on a Firewall
Firewalls are no longer enough. This is a fact that needs to be presented to senior management. The
Top Ten Firewall Myths is a great place to start
5. Failing to Realize How Much Money Their Information and Organizational Reputations are Worth
This will vary from industry to industry but the awareness level of executives about this issue is climbing. The reasons vary from legislation (HIPPA, GLBA, Sarbox, and PIPEDA) that assign real dollar values to misappropriation of information to news reports about corporate espionage and data breaches. In an era of globalization, the markets can dictate very quickly what a data breach will cost your organization.
6. Authorizing Reactive, Short-Term Fixes so Problems Re-emerge Rapidly
In IT as in life, if you do not learn from history, we are destined to repeat it. Organizations spend millions of dollars annually on proactive measures for fire, insurance, and other preventable problems. A reactive environment costs more to support and eventually leads to a high turn-over rate in staff. The reactive approach will cost an organization more money in the long term. Even fire fighters spend a large portion of their time educating the public about preventing fires.
7. Pretending the Problem Will Go Away if They Ignore It
The statistics support the fact that there is a problem and as more businesses connect themselves to each other the problems will continue to rise. If you can not educate the senior management team to this effect; it may be time to dust off the resume and begin hunting for a new job.
In Summary
While it seems easy from a security perspective, Senior Executives are generally not security folks. Senior Executives are tasked with running a profitable business and in many cases are still wrestling with the changes that IT has made to the face of business. In almost every case above the onus is on the security professional to understand how the business operates, the costs associated with the security of business, and present this information to the senior executives. It never makes sense to spend more money protecting an asset than the asset itself is worth. Security is about risk mitigation so remember that sometimes an unacceptable security risk is an acceptable business risk.
