(Kevin Beaver is a guest blogger for us on SecurityStreet - and if you like his excellent writings, you can find more on his own website; Kevin Beaver's Information Security Books, Articles, Whitepapers, Webcasts, Podcasts, and Screencasts. I don't want to be biased, but he did write a great blog about us over there too...)
We've all experienced those moments when business executives are put on the spot – often backed into a corner – and they end up making comments and critical decisions about information security as if they know more about it than their own IT staff members do. Well, here's why I believe this happens and why executives are often their own worst enemies when it comes to minimizing information risks:
- The purpose of any business is to keep and maintain a customer. Business survival revolves around sales. They're focusing on their bottom line. As much as they ignore what IT brings to the table in terms of business delivery, they often see IT and especially security as an impediment to their goals.
- People are perfectly selfish. Like your spouse, parents, or friends, executives have selective hearing. They pick and choose the information security-related issues that they believe can work in their favor – which is often none at all.
- Like government welfare programs, many IT and security initiatives are put in place merely for emotional reasons without any metrics or ongoing oversight. The approach is: “Joe in IT, get to the bottom of this so I don't have to hear about it again.” Does that really fix the problem? Of course not. But it looks good and it serves to fulfill the need for immediate gratification.
- Similarly, as with quick fixes for our health issues versus actually doing something about the underlying problems, executives continue to support their IT staff members' “in the weeds” defenses (i.e. chasing every zero-day exploit) versus long-term defenses (i.e. fixing your patch management processes). Ditto with how we as a society look the other way with out of control taxes, government surveillance, and so on, for many executives, it's just not worth dealing with the issues they face. It's easier to look the other way than actually think through the problems. Expedient, short-term solutions are easier to grasp that fixing the more challenging people and process problems at the core.
- You've no doubt seen the mom and pop BBQ restaurants and pizza joints who claim they're “the best in town”. Those claims always beg the question: Says who? Many business executives take this approach and believe their IT and information risk programs are the best there is simply because someone told them. They have no factual data to back up their claims. I don't expect executives to be involved in every aspect of security but, based on what I see, truly informed decisions are rarely made at the top level.
- Like how people in society deal with divisive political issues, when executives don't want to hear your side of the story regarding information security, you know they have a bigger – unspoken – agenda. That's a hard one to beat.
You've heard how the squeaky wheel gets the oil. Sometimes IT gets the oil, sometimes security gets the oil. But one thing no one ever talks about is how the “wheel” became squeaky in the first place. What makes security squeaky from the get-go? I strongly believe management bears a lot of this responsibility. Apathy and ignorance are no excuse. Yet, still, we as IT professionals are a part of the problem.
In the end, it's their business to run. You're going to have to do your thing and let management do theirs. The best thing you can do is to stay on management's radar. If you don't, then any attempt at putting together a valuable and impactful information security program doesn't stand a chance – especially if they're blindly calling the shots.