Speak my language
Why should I care about security? Seriously, are there any real consequences to non-compliance? Who's going to sue me? The government? My clients? Ha! Isn't risk just speculation, hype and paranoia?
Businesses have different ways of telling security staff that they do not understand the security discipline and its numerous specializations and requirements. When security leaders cannot speak the language of executives, officers and directors, they find themselves wrestling a myriad of demons in an attempt to communicate their value.
When executives and officers challenge security to prove that the threats are real, or convince them it is not just a marketing ploy on the part of Symantec and Sungard, they do not want an answer.
Think about it in terms of a sales department. Would leadership question the need to know who their salespeople are and what they are up too? IT security needs to know who and what is on the network. IT security requirements must be maintained in guidance documents, included sourcing, outsourcing and procurement. Would the business expect finance to manage the general ledger with an abacus? IT security must have a basic toolkit to assess, monitor and manage the technology environment. Would the business hire one person to single-handedly run the legal department, manage the marketing strategy, run the call center and tune the HVAC system? IT security is a specialized field requiring properly trained, dedicated resources. While most every business silos operations like underwriting, sales and human resources, security continues to be a dumping ground for anything that invokes a fight.
Sometimes claiming to not understand a security situation, strategy or concept is sincere. Other times it is a poorly veiled insult intended to make the security officer feel or look stupid for not explaining, communicating, illustrating or defining their message properly.
This phenomena of feigned ignorance at the highest levels of corporate leadership persists in all types of organizations and among the most common types of security programs. As corporate governance and controllership continues to grow more regulated at a more granular level, as auditors continue their dereliction of duty and shareholders get more impatient with the lack of organizational transparency, an epidemic of non-compliance is brewing through medium and large companies alike.
Regardless of how many different ways there are to explain security concepts and illustrate the ramifications of a successful exploit, the credibility of security is always in question. This happens for a deeper, more ominous reason.
Repeatedly having to convince a company to abide by mandatory minimum standards is exhausting and can wear down even the most resilient security staff. Watching a chief technology officer or chief information officer deny evidence of a breach, dispute facts about their compliance levels and discredit the security profession itself is not uncommon. Unless an outside entity is in town, pretending to perform a comprehensive audit, the personal contributions that security professionals make to their companies are frequently met with scoff and invalidated.
There are many options for security in these situations, including: 1) quitting your job in search of a firm that at least pays better lip service to security; 2) let yourself be convinced you're not a team player and alter your perception of reality to match the business; 3) cover yourself by saving every sign-off or email illuminating that you did your job and someone else rode rough shod over you to weaken security or fail to respond appropriately; 4) leave the profession; 5) become a consultant; 6) anticipate the water shed of security incidents and exposed non-compliance that is long overdue and find a nitch mopping up blood from the fallout, or lastly; 7) learn to communicate like a salesperson, evangelical or politician.
Lisa F. Picard, security and business continuity, World Access, Inc.
Stole, not earned
While overall I thought the editorial "Cashing in on Misconfigured Systems" [May 2006] was excellent, I was taken aback at the statement "…they earned about $20 million" in reference to the Russian crime ring.
They did not earn that money, they stole it. We must never give these criminals any idea that their actions are in any way a legitimate means to make a living.
Thanks for listening!
Barry R. Boerner, environmental manager, information security administrator, Florida Department of Agriculture and Consumer Services
McKinnon no criminal
Replying to Gary McKinnon's argument for hacking into the U.S. Department of Defense's computers [May 2006], Roger Light states that he would expect criminals to be brought to justice "no matter what their excuse is." But this does not look at the whole picture.
Gary McKinnon pointed out that it was, in fact, very easy to do, and that he did not actually damage anything or cause any financial loss.
The only reason there is a big storm about this is because a negligent attitude to security has been exposed, and blame for this is being shifted to another party. It should be counted as very lucky that there was no malicious intent.
Tim White via email