Choose Your Security Battles Wisely


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Choose Your Security Battles Wisely

  1. 1. Choose your security battles wisely Winning over management to support security measures requires tact, preparation - and a willingness to surrender Roger Grimes We IT security people have chosen a career in which we know that no matter how hard we strive, we will never win. We have to be perfect; the bad guys only have to be persistent. We can only defend against what we know and have seen; they are free to develop new attack methods at will. We have to accept that we'll spend our careers doing the best job we can -- and we'll still lose. The losses we suffer aren't only to the bad guys. Most new computer- security people aren't prepared for how often they will fight against own company -- and lose. Proactive security people are often seen as anti-business, when the truth is they care very much about the business. I always say that a little tension between the computer security department and the business revenue-generating departments is a good thing. It means both parties are doing their jobs. I'm quite familiar with overzealous computer security people who seem determined to undermine their own careers by escalating every security pushback into war against the establishment. Every lowered security mitigation, in their mind, exposes their organizations to financial ruin -- and makes them a laughingstock in the press. History is replete with examples of people who either muffled their good opinion or saw it ignored, then watched their companies go from billion-dollar leaders to bankrupt in a day. The staff accountant at Enron, the Wall Street power brokers pushing high-risk, worthless financial instruments, or more recently, the BP engineers who watched supervisors falsify safety valve tests are certainly in this group. I bet that senior management -- and investors -- wish
  2. 2. that knowledgeable people had spoken up louder or that their warnings had been heeded. The problem is, too many security people that feel this way about every issue and end up alienating even their biggest, earliest supporters. In reality, if you want to move ahead in a company, there's no better way than to shut up and do what you're told. Fighting back against management is one of the quickest ways to shorten your career trajectory. So when is it time to stand strong on principal in the face of oppressive pressures and how should you do it? It's a fine balancing act. The keys to being a good advocate for your employer are appropriateness, attitude, preparation, and phrasing. The following are some key strategies. Wage wars sparingly. Most of the time the arguments being made by the well- intentioned security folks are technically correct, but in reality, the dangers they cite don't expose the company to much additional risk. For example, I frequently see security engineers writing heated emails over a weakness in the SSL protocol, flimsy password hashes, or unencrypted network connections. All of these things are something to be worried about and could lead to confidential information loss, but it's hard to be worried about those sorts of risks when there are probably a hundred other bigger risks they should be worrying about, including social engineering, fake Trojan programs, and insufficient patching. Realize that most of the big risks you could worry about probably aren't mission-critical in the larger context. Argue against management sparingly. Prepare for the debate. Research the facts of the potential risk and know them better than your adversaries. Be ready for the discussions. Know your adversaries' positions and facts and look for weaknesses. Ahead of time, argue internally against your own facts, to try and find weaknesses, mitigations, and additional problems. The world's best scientists often argued more effectively against themselves than could their adversaries -- Albert Einstein, for example - - and it made them better.
  3. 3. Avoid hyperbole. It's easy to be emotional when you see the company making a big mistake, but you must remove that emotion (most of the time) to be taken seriously by senior management. Don't say things like, "This will absolutely lead to a compromise," or "The company will end up losing tens of millions of dollars a day," or "Our customers will drop like flies." Instead, talk about increased risk and increased likelihood. The truth is that you can't predict the future. Many companies have made poor security decisions but got away without any damages due to luck. Better still, research the risks and the benefits of a particular decision and try to put each into empirical dollars and percentages. Sometimes you won't be able to find hard numbers and will only be able to say something in general, such as, "This will significantly increase the risk of compromise." But if you can put real dollar figures or likelihood of occurrence, it will have greater impact. Never (or very rarely) go above your boss's head. Every time I've seen this done, it has resulted in negative consequences for the well-meaning employee. Management tends to stick together, and violating this often implied protocol could be disastrous to your career. If you are absolutely convinced that your boss is ignoring huge consequences, approach HR or another friendly management person and ask how to handle the situations. Make your best reasonable argument with facts and without emotion. Be prepared to lose the battle -- just make sure your concerns are well documented and that you are trying your best to be an advocate for the company's interest. If they don't act on your idea, let it go. It's out of your control, and it's just another fact of the career of a computer security person. Don't drive yourself insane, and keep fighting the good fight. Fonte: wisely-076?page=0,0 – Acesso em 10 de agosto de 2010