CSO’s and IT Security Managers - Shouting Louder to Make Things Happen
December 7th, 2007 Drazen Drazic Posted in Bad Stuff, Risk Management, governance |
One the biggest issues that we see facing CSO’s and IT Security Managers is the effective communication of business risks to those stakeholders ultimately accountable for the business. (Commonly referred to as the C-level team).
(There are quite a few posts in here about the tough job of being an IT Security person in any organisation and I’ve always been pretty blunt in my assessment of the state of the industry).
The recent Poll on Beast or Buddha (NB; no way a definitive sample mind you and done with as much context as most annual surveys, but I would not say being to far off on how things actually are) had over 70% of respondents stating that their organisation did not seem to care in addition to being in a bad way from a security exposure perspective.
I wonder how many Security Managers to an extent just give up and go with the flow - being careful not to upset the status quo and just believing this is how it has always been and this is how it will be…..(or at least until something really bad happens).
More than 50% of senior IT security people I speak with are not overly happy in their jobs. Most of these guys also believe that the chances of it being better elsewhere are remote. Is the industry really that low?
(Why would anyone be an IT Security Manager?)
If it is, how can we expect changes and finally getting those C-level guys to start listening?
First thing, is anyone actually talking to them? Is the path blocked so to speak? Where are the messages from the security people going?
I’ll put it out, if no one is listening, shout louder! Put it out there yourself! Document your thoughts and send them to your Management, C-level, Board etc etc (depending upon how frustrated you are). Get that information out there, ie; the information you only send once the resignation letter has gone in….only don’t wait until then! You’re going to piss off some people….more than likely, but hopefully, someone is going to start to listen. It may be a career limiting move because you’ll upset some dufus who shouldn’t be in their management job to begin with, but hey, you’re not happy there anyway so does it matter that much? Good thing is that should something happen, you can always provide the evidence that “I told you so!” Sounds tough but it’s a tactic that many in our industry do use to great effect - because most believe, it’s all they’ve got at times. Shaming some senior managers into action isn’t all that bad. You may be surprised how well it works if all of the sudden there is documented evidence to show that if and when something does happen, they were warned and should have understood their accountability.
Accountability - how poorly some understand or want to understand that? Is that the basis for why things are the way?
December 8th, 2007 at 11:01 pm
Nothing I can add. Just thought I would add that!
December 9th, 2007 at 12:29 am
We are waiting for the big thing as you mention here. It makes no difference what I do so yes I go with the flow and we are a big critical infrastructure Top 200. I wont be there when it happens hopefully.
December 14th, 2007 at 4:37 pm
[...] on in the series of posts about being an internal IT Security Head, I was talking to a mate today who’s about to start soon as the Regional IT Security Manager [...]