Skip to main content

How to Increase the Likelihood that your Security Risk Recommendations are accepted

Via @adamshostack came this post by @lennyzeltser Why Business Managers Ignore IT Security Risk Recommendations.

It is a tremendous list of excellent content. I will turn this around slightly and discuss some thoughts on how to increase  the likelihood that your security risk recommendations are accepted.   In many ways this comes down to does your management trust you to wisely invest capital?  Not just that, but relative to others in your organization. They are looking at a number of projects that require time and money across a broader view of the organization that just your department.  It is their job to optimize the outcomes for the organization.  How can you build the case that you're to be trusted over another manager? 

Here is what I would look for:

1.  Display that you have optimized for cost reduction already.  Moving SSH off port 22 is a great example of this.  It may not increase security, but it greatly reduces logs and thus optimizes the resources needed to manage and review logs.  Standardized configurations may be another, depending on your organization.   Demonstrate you can manage OpEx.

2.  Show that you have optimized the use of your existing security infrastructure.  The best example of this is the two things that are proven effective in infosec: two-factor authentication and VPNs.  Do your critical accounts use two-factor authentication for access? What about vendors?  Is your firewall filtering mail attachments?   Show you can manage CapEx. 

3.  Max out the use of free and open source tools.  There are a lot of these in infosec and many can do all that you need.  But often times not.  This shows that you are aware of what's available and making informed decisions.  For example:   You have been using a free web-app scanner, but with the increased importance of the ecommerce site, a professional evaluation is warranted.  This reduces the risk that you are paying an expert to find the easy problems and not the hard-to-find issues.  Show you know how to use money wisely.

4.  Know your capabilities.  Most organizations cannot handle the bleeding edge.  Trying to deploy a shiny new all-encompassing system that watches what all the users do every where will tax your resources and potentially fail big time. You need wins to maintain your credibility. Optimize for success.  

To me this is just the infosec version of "Start where you are, with what you have" attributed to Teddy Roosevelt and Arthur Ashe.   Corporations are just capital management organizations.  The better the return on capital, the happier the shareholders, management etc.  Your ability to consistently deliver projects on time and on budget will build your credibility.  You should start with the basics. 

(Note that I have not included any financial models on how to prove the value of your project.  Maybe for another day. Or never.)

Current rating: 1

Recent Posts







RSS / Atom