How many people have come across this argument, in terms of shoving one's head in the sand, and hoping it will just go away? Because it will not, so just stop hoping and do something about it!
The stifling innovation argument is pretty common amongst those that have swallowed the MVP/we're a startup mantra in long established organisations. There's tendency for these team to build something and then leave it behind for someone else to maintain, just adding to the organisations overall tech debt.
Unfortunately, since I have been in Security (let's just say far too long LOL), management have always downplayed Security or treated it like a nuisance (yep that's the word I want to use).
The only time that I have seen management take any real interest is when "something" has happened and then the purse strings would open and we had their attention.
Even with all the tools, I don't think the issues will ever go away.
I agree, many organisations pay lip service, until something does go wrong etc. There is always a loop hole, for example: if the Privacy Legislation mandatory disclosure states if a breach occurs then you must report it. However in the event of Ransomware, the organisation often gets away with this as a) no personal data was affected or b) they pay the ransom up front before the media get hold of it c) or they mitigate the risk by getting the cybersecurity insurance provider to pay it up front and take a punt on the increase in premiums.
The human condition, states if there is a loop hole, then seek it out and test it. Often it works.
Hi @dcontesti Unfortunately the world is changing, and like the USA and Australia further mandates are coming in to thwart that type of behaviour.
If you read back to Petya and Not-Petya days circa 2016 - the Russians have been circulating a lot of Malware aimed and tested at the Ukraine, where nation wide power cuts were experienced - this was an experiment, given the fact that the Russians knew the Ukrainian networks - as the Russians installed them in the first place.
Unfortunately, we are at a critical point, where the capability to literally take out nations critical infrastructure has been proven a number of times. All of these were experiments conducted by the Chinese and Russians.
We do a lot of things for cutting costs, but there will be a point, at which we have to ask ourselves can we trust the very systems we depend upon or like the US Government, do they come to a point, whereby they have to state - I simply have to start again, as they did not trust the systems they depended upon.
Unfortunately a lot of organisations are not prepared
@Caute_cautim I couldn't agree with you more.
When I worked for one Global organization, InfoSec was a priority at Global (which I reported to). However at the Local level, it was seen as a hindrance. The answer to Global was always, we adhere to all the local, state, etc. rules and regulations.
I am glad to see a change being made in some of those regulations and am hopeful that there will be penalties associated with non-compliance.
Also definitely agree about Critical Infrastructure but unfortunately some companies do not see themselves in that vane. Yes we see Water, Power companies playing the catch up game and protecting themselves. However we do no see other Industrial Control Systems type companies even thinking they are critical. As the world changes, industries move in and out of being Critical. WWII showed us how critical steel companies or other manufacturers were.
So I hope that some folk wake up and see what the issues are and instead of continually playing catch up, prepare themselves. If the governments can help with this, this would be a god-send for those of us in the trenches.
It's a little like the dilemma board exec have; do I invest in a strategy that will pay off in 5 to 10 years time and risk demands to realise short term returns becoming terminal for your career or do you focus on short term results. It depends to some extent on the culture they're working in, but the usual focus in a US/UK context is on the short to medium term results or results in the current financial year.
Survivorship bias means that the people who survive to propagate the messages on how to survive and prosper in organisations aren't those that invest for the long term.
@Steve-Wilme @dcontesti Perhaps a revised approach is required, that of understanding the actual business problem, and then running a series of workshops with the senior management, to get them to explain the business issue in their own language and terminology. Then play back your understanding from the various sticky notes that were created, so to clarify what you understand, and this also will help them to articulate the priority of their business concerns.
Then by asking questions, on what do they think the impact of not prioritising on particular business issues, and what asking what would be sufficient to solve the problems in their minds?
Especially, if you have sufficient members to work as a group, to express their own emotions, and feelings rather than be robotic about it.