When you approach your management when you have a security problem, do you paint them a risk picture or just point out a problem? Too often I see junior (and some senior) information security (InfoSec) professionals coming up to their management and complaining about people violating InfoSec policies and wanting them to take action against the violators. What they fail to realize, is that they are just pointing out a problem, and not adequately explaining risk to the company.
If you want to be successful in the InfoSec community and your career, learn to paint a risk picture.
Do not say "We have people looking at pornography on our network. We need to do something about it."
Learn to say "There are people who are performing some risky behaviors on our network by visiting pornographic websites. Their actions, if discovered by outsiders to our company, would damage our reputation. In addition to reputational damage, the websites they visit are sometimes infected with malware that has the potential to infect or take down our network, steal our company data, and cause lots of hours of work for the IT department. This has the potential to affect other employees besides themselves, costing the company lost hours of work. An infected computer can also serve as a pivot point for an attacker to move through our network. We also stand the risk of harassment claims by an employee who may accidentally view the inappropriate actions of another."
Learn to look at the problem, see how risky it is, and then define the risk to the company. What may be risky for one person, may not be as risky for another person. Risky internet behavior on the segment of the network that houses sensitive company data may be more risky than the same behavior on another network with no sensitive data on it. What could be a scary risk in one scenario may not be as scary in another.
Also learn to take some of the technical speak out as you move up the management chain. An executive doesn't need to know that firewalls are configured incorrectly and a long speech on the intricacies of the firewall and layer this and layer that, etc. They need to know that the firewalls are not set up correctly, and that because of that, here are the risks of it being configured incorrectly. Your recommendation for reducing the risks (which should include several options) and what your recommendation is for moving forward. At the end of the process, if there is remaining risk, then you should document it on a risk acceptance form, including what you did to reduce it as much as possible.
Another thing I hear unsuccessful Infosec people say is "Well if management is willing to accept the risks, then I'm good with it." They say this without first having painted an adequate risk picture. They then draft up a hastily prepared risk acceptance document and then get upset when management doesn't want to sign it. A good risk acceptance document should explain:
1) What the problem is and the risk it entails to the company.
2) What has been done already to reduce it.
3) What the options are for for further reducing or eliminating it. With costs if applicable.
4) Then the remaining risk that you are asking for the management's acceptance of.
After receiving this, management should then decide if they can afford to implement any of the options (and remember that doing nothing is always one of your options and should be the first in the list). If they want to implement one of the options then you can hold on to this letter until the risk is mitigated or reduced and then update the letter or close it out as not needed if applicable. If there is remaining risk, and management is OK with the level of risk remaining, they can sign it acknowledging that they are aware and approve/accept this level of risk.
Doing it in this manner will allow you to properly document the risks in your environment and should help both you and management prove you did your due diligence beforehand if a breech occurs. This method should also help you advance in your InfoSec career. Learn to paint risk pictures and not just point out problems.
I agree entirely, we can't be complainers! I'd go one step further; don't present a problem without also presenting the means or several means to fix it.
If you're presenting a balanced risk picture to someone who gets risk; they'll likely want to be involved in crafting the solution, alternatively, someone who isn't a risk person may want to understand the risk but also want you to make their job easier with a quick decision.
That is what section 3 is for. The area to present solutions (options) to reduce, mitigate, or eliminate it. I have found that if you present several options (including the option to do nothing) it helps the decision maker to make a choice.
And yes I have had several bosses that told me "Don't bring me a problem if you haven't at least tried to find a solution."
@CISOScott wrote:
And yes I have had several bosses that told me "Don't bring me a problem if you haven't at least tried to find a solution."
I'm not opposed to this type of leadership style but it needs to be done carefully. For example, I would rather be informed as soon as the issue / risk becomes known. I could then say, "Thanks for informing me. Let me know what solutions you come up with or keep me updated as things progress" . I may have more context to the situation to help come up with a better solution or it's not even an issue at all and they wasted their time finding solutions.
I agree that this can be a good approach with some caveats.
I’ve seen situations where staff did not report incidents because they didn’t have time to or could not come up with a solution or fear of retaliation.
I’ve also seen management who relied only on this message because they simply did not want to take responsibilty for resolving issues and would then pass the blame onto the reporting staff member if the resolution failed or caused personnel issues.
I’ve also had management that told staff to fix it themselves first and only come to them if they can’t fix it.
Painting a picture of the risk is better than just saying, this happened, though management should know the risk of the action or they really should not be in management.