Painting a risk picture, not pointing out a problem
When you approach your management when you have a security problem, do you paint them a risk picture or just point out a problem? Too often I see junior (and some senior) information security (InfoSec) professionals coming up to their management and complaining about people violating InfoSec policies and wanting them to take action against the violators. What they fail to realize, is that they are just pointing out a problem, and not adequately explaining risk to the company.
If you want to be successful in the InfoSec community and your career, learn to paint a risk picture.
Do not say "We have people looking at pornography on our network. We need to do something about it."
Learn to say "There are people who are performing some risky behaviors on our network by visiting pornographic websites. Their actions, if discovered by outsiders to our company, would damage our reputation. In addition to reputational damage, the websites they visit are sometimes infected with malware that has the potential to infect or take down our network, steal our company data, and cause lots of hours of work for the IT department. This has the potential to affect other employees besides themselves, costing the company lost hours of work. An infected computer can also serve as a pivot point for an attacker to move through our network. We also stand the risk of harassment claims by an employee who may accidentally view the inappropriate actions of another."
Learn to look at the problem, see how risky it is, and then define the risk to the company. What may be risky for one person, may not be as risky for another person. Risky internet behavior on the segment of the network that houses sensitive company data may be more risky than the same behavior on another network with no sensitive data on it. What could be a scary risk in one scenario may not be as scary in another.
Also learn to take some of the technical speak out as you move up the management chain. An executive doesn't need to know that firewalls are configured incorrectly and a long speech on the intricacies of the firewall and layer this and layer that, etc. They need to know that the firewalls are not set up correctly, and that because of that, here are the risks of it being configured incorrectly. Your recommendation for reducing the risks (which should include several options) and what your recommendation is for moving forward. At the end of the process, if there is remaining risk, then you should document it on a risk acceptance form, including what you did to reduce it as much as possible.
Another thing I hear unsuccessful Infosec people say is "Well if management is willing to accept the risks, then I'm good with it." They say this without first having painted an adequate risk picture. They then draft up a hastily prepared risk acceptance document and then get upset when management doesn't want to sign it. A good risk acceptance document should explain:
1) What the problem is and the risk it entails to the company.
2) What has been done already to reduce it.
3) What the options are for for further reducing or eliminating it. With costs if applicable.
4) Then the remaining risk that you are asking for the management's acceptance of.
After receiving this, management should then decide if they can afford to implement any of the options (and remember that doing nothing is always one of your options and should be the first in the list). If they want to implement one of the options then you can hold on to this letter until the risk is mitigated or reduced and then update the letter or close it out as not needed if applicable. If there is remaining risk, and management is OK with the level of risk remaining, they can sign it acknowledging that they are aware and approve/accept this level of risk.
Doing it in this manner will allow you to properly document the risks in your environment and should help both you and management prove you did your due diligence beforehand if a breech occurs. This method should also help you advance in your InfoSec career. Learn to paint risk pictures and not just point out problems.