This is a "guest diary" submitted by Russell Eubanks. We will gladly forward any responses or please use our comment/forum section to comment publically. Russell is currently enrolled in the SANS Masters Program.
The primary reason your security program is struggling is not your lack of funding. You must find a better excuse than not having the budget you are convinced you need in order for your security program to succeed. Do not blame poor security on poor funding. Blame bad security on the REAL reason you have bad security. I hope to encourage you to take a new look at what you are doing and determine if it is working. If not, I encourage you to make a change by using the tools and capabilities you currently have to help tell an accurate story of your security program - with much needed and overdue metrics.
------ |
Johannes 4069 Posts ISC Handler Aug 14th 2013 |
Thread locked Subscribe |
Aug 14th 2013 7 years ago |
Agreed! Well, mostly.
![]() However, the problem isn't *only* about the getting the message across to management either. When management lets anyone who complains about the new policies skirt them because they're "inconvenient"... (shrug) There's not much one can do besides look for other solutions to propose and wait for the next big event to remind them without saying "I told ya so" which never goes over well. ![]() What's frustrating is when the people charged with making those decisions ignore your advice (regardless of what stats you have to back it up) and figure they know better than you because they're "technical"... after all their VCRs don't flash 12:00 anymore and they setup their own WiFi at home so they must be "technical", right? (sigh) |
Brent 123 Posts |
Quote |
Aug 14th 2013 7 years ago |
Part of the problem is showing benefit each step of the way. Let me make an analogy with construction -- like building a storage building.
You first must purchase land to put it on. The need to store stuff indoors is not satisfied a bit by that step. Assuming you get approval to do it anyway, then next step is to grade the land and put in drainage, utilities, etc. You may claim that this increases the value of the investment, but by itself it also fails to provide any direct benefit. Again, assume you get approval anyway. The next step is to dig the foundation. Still no direct benefit for storing goods inside. Next is pour the foundation. Still no benefit. Then pour the slab. Still no benefit; you still cannot store a single thing indoors despite all the money you have spent. Your project is probably in jeopardy of being cancelled. Next step is put up the walls. Well, now at least, you can claim that you have secured an area. Then we put on the roof. Wow! With the roof, you have protection from the rain. You probably should have put on the roof first, so you could show benefit the very first step. The the walls would add security, etc. You get the picture. Obviously (to management, who is *NOT* technical) you went about the whole thing backwards! The problem with showing benefit each step is that you either have many more steps, increasing overall cost, or you never get done at all. You need to show the *WHOLE* plan, from start to finish, with schedule and budget, and show how you will track it (retain a certified project management consultant?) and get approval on the whole deal up front. That is the cheapest and fastest way to go, and if management doesn't understand that, then quit and go to work somewhere that they do. Also, cut them some slack: they may choose to not implement your project for reasons that are never made clear to you. It might not be your fault. The may have another project that is outside of your discipline that is more important, and they do not have the budget for both. You may never know what that other project is, especially in a BIG company. |
Moriah 133 Posts |
Quote |
Aug 15th 2013 7 years ago |
Quoting Moriah:Also, cut them some slack: they may choose to not implement your project for reasons that are never made clear to you. It might not be your fault. The may have another project that is outside of your discipline that is more important, and they do not have the budget for both. You may never know what that other project is, especially in a BIG company. Absolutely. The bottom line is it's their decision to make (and they're wrestling with other problems totally unrelated to IT) and it's our (IT's) responsibility to help them make informed decisions - to let them know what risks and costs would be. I've usually been able to get security-related projects approved (though not always immediately - budget/time constraints 'n alla that - grin) but I've also worked in IT long enough that I've run across management that's convinced they know better than anyone in IT until events proved them wrong - oddly enough, this was usually at small companies, not big ones. Anyway the point I was making was just that sometimes the best you can do is to inform Management, as best as you can, what the risk/rewards and costs/benefits of various choices are and not to take it personally if the answer to your proposal is "No" or "Not this quarter". ![]() |
Brent 123 Posts |
Quote |
Aug 15th 2013 7 years ago |
I totally agree that my job is to make sure that management is aware of and understands the risk. A proposed solution is secondary. While it may be what I really want to accomplish, my job responsibility is primarily to make them aware.
Should management choose not to take my recommedations, I do my very best to not take that personally. (I will readily admit that sometimes I am more successful at this than others!) I try to focus on the fact that I have done my job to the best of my abilities and with the best interest of the company in mind. If I can say that I've done this, more often than not, that is enough for me. I find it best to draw on management's experience to present the matter in a way that they can really understand. If management came up through physical security, I'll draw a parallel. If they came up through credit, I'll draw a parallel. Often I will step outside of their professional life and use daily life issues to do so. "Do you leave your doors open or lock your house?" "Even though you have an alarm, is it wise to leave the door unlocked?" etc. |
matt 1 Posts |
Quote |
Aug 16th 2013 7 years ago |
Matt,
Great point about not making it personal. I have fallen into that trap before a few times. Russell Eubanks |
Russell 100 Posts ISC Handler |
Quote |
Aug 28th 2013 7 years ago |
Great point - other projects can certainly get priority even when we have done everything "right".
Russell Eubanks |
Russell 100 Posts ISC Handler |
Quote |
Aug 28th 2013 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!