An Open Letter to CEOs for Security Professionals
HOME
PAGE
MEMBER RESOURCES
ABOUT US
FORUMS
PARTNERS
PRODUCTS & SERVICES
FREE RESOURCES
LOGIN
HERE
JOIN
NOW!
You are not logged in. Access is limited. Login or see membership information. • Streetwise Security Zone Community

The Streetwise Security Zone Discussion Forums are a great way to see what other managers are doing about security and what problems they have faced. You can find a lot of helpful hints and tips that could save you time and money.

You must join The Streetwise Security Zone (click HERE) in order to reply or post new items in the forums.
Author Message

ScottWright
Group Administrator

Subject: An Open Letter to CEOs for Security Professionals
Justifying Security
posted by ScottWright on Thursday, March 12th 2009 @ 6:24 AM

The letter below was posted by Michael Starks at The Security Catalyst. As part of your job of justifying security, any IT manager with security responsibilities will likely hit the C-Wall. That is, a barrier to you getting your job done - or at least, what you thought your job was supposed to be - that arises because of senior management's priorities.

I think the letter below reflects the frustration of many security professionals, when it comes to having their voice heard.

by Michael Starks

Dear Chief Executive Officer,

I want to help.

When you hired me as a security professional, I had certain expectations. I expected that you would come to me for guidance when evaluating new technologies. I expected that you would solicit my feedback when engaging in risky ventures. I expected that, as a professional, my security expertise would be valued.

I want to help you pass audits. In order to do that, you need to understand that passing the audit is not the actual goal. To pass audits, we need to have a security program that is perpetually healthy–one that creates and builds a security culture. It needs to be healthy enough where passing audits is a natural consequence of how we handle information.

I want to help you stay safe from attack. In order to do that, we need to not only perform risk analysis, but also act on the results. We need to take these results and turn them into action plans. We will sometimes need a budget to make these things happen.

I want to help you avoid fines, bad publicity and more regulations. In order to do that, we will need to actually enforce the security policy we already have, and which you signed off on. Yes, that means consequences for those who willingly violate.

I just wanted you to know that when you put systems into production and say, “we’ll do the security stuff later,” I can’t help you in the best way possible. When you start audit activities two months before the audit, then try to negotiate away the exceptions, I can’t help you in the best way possible. And when you don’t approve a critical patch on a production system because it might break something, I can’t help you in the best way possible.

I want to help you sell your product. In order to do that, the business has to stay safe enough to meet your goals. Let’s work together to find creative ways to protect the business.

Yours in security,

The Security Professional

Posted by Michael Starks on Tuesday, March 10, 2009 at 6:00 am

What do you think? Will Michael's letter help in your situation? Or, do you have another approach to communicating with your management? Or, when you find yourself in this situation, do you just polish up your resume, and move on?

________________________________
Scott Wright
The Streetwise Security Coach

Would your organization be interested in obtaining the right to use my lessons or articles in your enterprise security awareness program? Please email me at the address below...

Email: scott@streetwise-security-zone.com
Twitter: http://www.twitter.com/streetsec
Phone: 613-693-0997
Podcast: http://www.streetwise-security-zone.com/podcast.html


Copyright 2012. Security Perspectives Inc. All Rights Reserved.