Choose your security battles wisely
Winning over management to support security measures
requires tact, preparation - and a willingness to surrender
We IT security people have chosen a career in which we know that no
matter how hard we strive, we will never win. We have to be perfect; the bad
guys only have to be persistent. We can only defend against what we know and
have seen; they are free to develop new attack methods at will. We have to
accept that we'll spend our careers doing the best job we can -- and we'll still
The losses we suffer aren't only to the bad guys. Most new computer-
security people aren't prepared for how often they will fight against own
company -- and lose. Proactive security people are often seen as anti-business,
when the truth is they care very much about the business. I always say that a
little tension between the computer security department and the business
revenue-generating departments is a good thing. It means both parties are
doing their jobs.
I'm quite familiar with overzealous computer security people who seem
determined to undermine their own careers by escalating every security
pushback into war against the establishment. Every lowered security mitigation,
in their mind, exposes their organizations to financial ruin -- and makes them a
laughingstock in the press.
History is replete with examples of people who either muffled their good
opinion or saw it ignored, then watched their companies go from billion-dollar
leaders to bankrupt in a day. The staff accountant at Enron, the Wall Street
power brokers pushing high-risk, worthless financial instruments, or more
recently, the BP engineers who watched supervisors falsify safety valve tests
are certainly in this group. I bet that senior management -- and investors -- wish
that knowledgeable people had spoken up louder or that their warnings had
The problem is, too many security people that feel this way about every
issue and end up alienating even their biggest, earliest supporters. In reality, if
you want to move ahead in a company, there's no better way than to shut up
and do what you're told. Fighting back against management is one of the
quickest ways to shorten your career trajectory.
So when is it time to stand strong on principal in the face of oppressive
pressures and how should you do it? It's a fine balancing act. The keys to being
a good advocate for your employer are appropriateness, attitude, preparation,
and phrasing. The following are some key strategies.
Wage wars sparingly. Most of the time the arguments being made by the well-
intentioned security folks are technically correct, but in reality, the dangers they
cite don't expose the company to much additional risk.
For example, I frequently see security engineers writing heated emails
over a weakness in the SSL protocol, flimsy password hashes, or unencrypted
network connections. All of these things are something to be worried about and
could lead to confidential information loss, but it's hard to be worried about
those sorts of risks when there are probably a hundred other bigger risks they
should be worrying about, including social engineering, fake Trojan programs,
and insufficient patching. Realize that most of the big risks you could worry
about probably aren't mission-critical in the larger context. Argue against
Prepare for the debate. Research the facts of the potential risk and know them
better than your adversaries. Be ready for the discussions. Know your
adversaries' positions and facts and look for weaknesses. Ahead of time, argue
internally against your own facts, to try and find weaknesses, mitigations, and
additional problems. The world's best scientists often argued more effectively
against themselves than could their adversaries -- Albert Einstein, for example -
- and it made them better.
Avoid hyperbole. It's easy to be emotional when you see the company making
a big mistake, but you must remove that emotion (most of the time) to be taken
seriously by senior management. Don't say things like, "This will absolutely lead
to a compromise," or "The company will end up losing tens of millions of dollars
a day," or "Our customers will drop like flies." Instead, talk about increased risk
and increased likelihood. The truth is that you can't predict the future. Many
companies have made poor security decisions but got away without any
damages due to luck.
Better still, research the risks and the benefits of a particular decision and
try to put each into empirical dollars and percentages. Sometimes you won't be
able to find hard numbers and will only be able to say something in general,
such as, "This will significantly increase the risk of compromise." But if you can
put real dollar figures or likelihood of occurrence, it will have greater impact.
Never (or very rarely) go above your boss's head. Every time I've seen this
done, it has resulted in negative consequences for the well-meaning employee.
Management tends to stick together, and violating this often implied protocol
could be disastrous to your career. If you are absolutely convinced that your
boss is ignoring huge consequences, approach HR or another friendly
management person and ask how to handle the situations.
Make your best reasonable argument with facts and without emotion. Be
prepared to lose the battle -- just make sure your concerns are well documented
and that you are trying your best to be an advocate for the company's interest. If
they don't act on your idea, let it go. It's out of your control, and it's just another
fact of the career of a computer security person.
Don't drive yourself insane, and keep fighting the good fight.
wisely-076?page=0,0 – Acesso em 10 de agosto de 2010