What do bad security managers do?
I spent the last 6 years working in the areas of information security, IT risk management and IT auditing.
Being a pedant, I am very confused with the issue of personal effectiveness and I am constantly looking for ways to improve it within the framework of the issues I work for. Training / certification is being used to systematize knowledge and conduct a gap analysis of its practices in comparison with generally accepted ones, and communicating with colleagues on interests. Over the course of several years, I became familiar with information security specialists of different levels, ranging from technical administrators to top- managers of large companies. But the greatest benefit to me was brought and brought by feedback from end users and managers, that is, from business.
IMHO, I managed to achieve some success in promoting information security on the perimeter allocated to me (and, last but not least, in raising the level of information security), at the same time, I see how some colleagues who are heading the information security services fail. Now I will tell you how to fail when you were appointed head of the information security service in just 8 simple steps. I warn you that the path to a poor head of the information security service can take more than a year, and as a rule - 10-12 years.
')
1. Do not communicate with the owners of business functions in the company.
The owner of a business function is a top manager who is responsible for any business line and, accordingly, bears all the inherent risks. Take, for example, a bank - some deputy chairman for the retail business oversees the work of the retail, he is the owner of this business function, he doesn’t care most whether the front-line system works, how long it takes to open a branch and how long the password is reset to a single employee at the point of sale. If you want to increase the resiliency (availability) of the front-line system, then among the people who agree on the budget, it may be the only one who will be affected by your arguments. Another banking example is the vice president / deputy chairman for remote services. Who, if not his, is worried about the fate of the Internet banking system? Who will push the idea of implementing hot spares and tokens with you? Do you know why your internet banking server is hosted on win2k, and is administered by radmin under the domain administrator account?
2. You never participate in projects
If you don’t want the controls and security features to be introduced to the output of the system in production, then the best time to ignore the IS requirements is the beginning of the project, the very moment when terms, budgets and approximate architecture pretend. Lack of risk assessment in the early stages of project implementation leads to a huge headache in the future and significantly increases the cost of putting the situation in order. But you will not put the situation in order.
3. You never talk about IS problems to internal auditors
You know better what is happening in the company and you do not need an independent view from the outside.
And most importantly, you do not need someone to put additional pressure on top managers, forcing them to take measures to reduce IT / IB risks.
4. Because the risk-based approach will only interfere
Since it will not be possible to implement DLP (data leakage prevention) solution for 20 million. (to protect assets for 230 rubles in trifles) to monitor the users' correspondence and prohibit them from sitting on VKontakte. After all, who, no matter how you deal with issues of motivation and increasing employee loyalty?
5. Do not communicate with users
The opinion of users is not important, because they do not understand information security issues and a priori can not object anything constructive against your expert opinion.
The changes you introduce are forced measures that increase information security in the company, and labor productivity (of course).
6. Implement security for security
Yo Dawg, I like her DLP, so I put DLP in your DLP.
There are no many controls, so it would be good to prohibit downloading files from the Internet. And access is carried out by login and password, of course, with confirmation of each transition between pages with a one-time SMS password. But, only after the operation was confirmed by the responsible officer (with entry in a paper magazine kept in a safe), who passed through two gateways on the way to his workplace, presented the pass five times, signed it twice and wrote an explanatory note, since I forgot to remove the flash drive from my pocket when I was going through an x-ray.
No one is allowed to violate your information security policy!
7. Do not coordinate policies with company management.
Who, if not you, will be able to dictate information security policy in the company? After all, you are an expert, you were hired to ensure information security. It's simple - if you wanted you to reflect the interests of a business or users, you would be hired for some other position.
Therefore, download the policy from the Internet, add a pinch of blackjack to it and gently slip it for the main signature.
8. Hide the results of your work from management
If, God forbid, you are asked to report on the results of the work, the recipe is simple. You make a presentation with the following slides:
- Downloading from the console of the antivirus, the more digits - the better. This is the most visual data on the most dangerous threats. 93.8% !!!
- A memo addressed to the chairman with the results of the investigation of the incident with a flash drive, the more text consisting of long chains of letters - the better. It is advisable to attach an explanatory.
- Uploading from a proxy with a list of visited resources and traffic consumption. To arouse a lively interest among the audience, you should highlight the most greasy sites in red,
But in order not to engage in useless nonsense, enough:
- Remember that a significant part of information security rests only on the consciousness of the user (he must be trained, he must be helped, he must be listened to)
- To be open and pro-active in communication with employees and management
- Involve top management in information security management, motivate them and get support.
- Understand the business that you protect and offer solutions to problems (before they appear)
- Understand the assets to protect
- Do not spend resources on the implementation of unnecessary controls. Remember the cost \ benefit component - to estimate how much the security system that was just introduced cost and what would be the potential quantitative damage from the incident.
- Do not close in your cocoon. This concerns both the general friendliness in communication and the opportunity to involve other interested participants in solving urgent problems of information security (as in the example above with an audit, which often has more influence and independence in the company).
- Conduct dialogue in an accessible language. For users, this is the long-forgotten human language of ordinary people. For management, the language of money, if you can sell your risk reduction plan to one of the top managers, then he will be able to sell it to someone who otlushyavit money.
- Remember that a significant part of information security rests only on the consciousness of the user (so firmly it holds)
- [Actual for large companies] Each achievement in the field of information security can be packaged in a beautiful wrapper and presented to one of the managers, he in turn presents it a step higher and so on. This is an essential part of effective life in a corporate environment where top management usually lives only with problem solving and negative, and seeks to maintain its position. If you bring such sweets to your supervisor, then it is very likely that he will make efforts to promote your suggestions and solutions that will generate more sweets.
I would be happy to discuss this topic, even more happy if someone in this article sees their mistakes and thinks about it.
Being a pedant, I am very confused with the issue of personal effectiveness and I am constantly looking for ways to improve it within the framework of the issues I work for. Training / certification is being used to systematize knowledge and conduct a gap analysis of its practices in comparison with generally accepted ones, and communicating with colleagues on interests. Over the course of several years, I became familiar with information security specialists of different levels, ranging from technical administrators to top- managers of large companies. But the greatest benefit to me was brought and brought by feedback from end users and managers, that is, from business.
IMHO, I managed to achieve some success in promoting information security on the perimeter allocated to me (and, last but not least, in raising the level of information security), at the same time, I see how some colleagues who are heading the information security services fail. Now I will tell you how to fail when you were appointed head of the information security service in just 8 simple steps. I warn you that the path to a poor head of the information security service can take more than a year, and as a rule - 10-12 years.
')
1. Do not communicate with the owners of business functions in the company.
The owner of a business function is a top manager who is responsible for any business line and, accordingly, bears all the inherent risks. Take, for example, a bank - some deputy chairman for the retail business oversees the work of the retail, he is the owner of this business function, he doesn’t care most whether the front-line system works, how long it takes to open a branch and how long the password is reset to a single employee at the point of sale. If you want to increase the resiliency (availability) of the front-line system, then among the people who agree on the budget, it may be the only one who will be affected by your arguments. Another banking example is the vice president / deputy chairman for remote services. Who, if not his, is worried about the fate of the Internet banking system? Who will push the idea of implementing hot spares and tokens with you? Do you know why your internet banking server is hosted on win2k, and is administered by radmin under the domain administrator account?
2. You never participate in projects
If you don’t want the controls and security features to be introduced to the output of the system in production, then the best time to ignore the IS requirements is the beginning of the project, the very moment when terms, budgets and approximate architecture pretend. Lack of risk assessment in the early stages of project implementation leads to a huge headache in the future and significantly increases the cost of putting the situation in order. But you will not put the situation in order.
3. You never talk about IS problems to internal auditors
You know better what is happening in the company and you do not need an independent view from the outside.
And most importantly, you do not need someone to put additional pressure on top managers, forcing them to take measures to reduce IT / IB risks.
4. Because the risk-based approach will only interfere
Since it will not be possible to implement DLP (data leakage prevention) solution for 20 million. (to protect assets for 230 rubles in trifles) to monitor the users' correspondence and prohibit them from sitting on VKontakte. After all, who, no matter how you deal with issues of motivation and increasing employee loyalty?
5. Do not communicate with users
The opinion of users is not important, because they do not understand information security issues and a priori can not object anything constructive against your expert opinion.
The changes you introduce are forced measures that increase information security in the company, and labor productivity (of course).
6. Implement security for security
Yo Dawg, I like her DLP, so I put DLP in your DLP.
There are no many controls, so it would be good to prohibit downloading files from the Internet. And access is carried out by login and password, of course, with confirmation of each transition between pages with a one-time SMS password. But, only after the operation was confirmed by the responsible officer (with entry in a paper magazine kept in a safe), who passed through two gateways on the way to his workplace, presented the pass five times, signed it twice and wrote an explanatory note, since I forgot to remove the flash drive from my pocket when I was going through an x-ray.
No one is allowed to violate your information security policy!
7. Do not coordinate policies with company management.
Who, if not you, will be able to dictate information security policy in the company? After all, you are an expert, you were hired to ensure information security. It's simple - if you wanted you to reflect the interests of a business or users, you would be hired for some other position.
Therefore, download the policy from the Internet, add a pinch of blackjack to it and gently slip it for the main signature.
8. Hide the results of your work from management
If, God forbid, you are asked to report on the results of the work, the recipe is simple. You make a presentation with the following slides:
- Downloading from the console of the antivirus, the more digits - the better. This is the most visual data on the most dangerous threats. 93.8% !!!
- A memo addressed to the chairman with the results of the investigation of the incident with a flash drive, the more text consisting of long chains of letters - the better. It is advisable to attach an explanatory.
- Uploading from a proxy with a list of visited resources and traffic consumption. To arouse a lively interest among the audience, you should highlight the most greasy sites in red,
But in order not to engage in useless nonsense, enough:
- Remember that a significant part of information security rests only on the consciousness of the user (he must be trained, he must be helped, he must be listened to)
- To be open and pro-active in communication with employees and management
- Involve top management in information security management, motivate them and get support.
- Understand the business that you protect and offer solutions to problems (before they appear)
- Understand the assets to protect
- Do not spend resources on the implementation of unnecessary controls. Remember the cost \ benefit component - to estimate how much the security system that was just introduced cost and what would be the potential quantitative damage from the incident.
- Do not close in your cocoon. This concerns both the general friendliness in communication and the opportunity to involve other interested participants in solving urgent problems of information security (as in the example above with an audit, which often has more influence and independence in the company).
- Conduct dialogue in an accessible language. For users, this is the long-forgotten human language of ordinary people. For management, the language of money, if you can sell your risk reduction plan to one of the top managers, then he will be able to sell it to someone who otlushyavit money.
- Remember that a significant part of information security rests only on the consciousness of the user (so firmly it holds)
- [Actual for large companies] Each achievement in the field of information security can be packaged in a beautiful wrapper and presented to one of the managers, he in turn presents it a step higher and so on. This is an essential part of effective life in a corporate environment where top management usually lives only with problem solving and negative, and seeks to maintain its position. If you bring such sweets to your supervisor, then it is very likely that he will make efforts to promote your suggestions and solutions that will generate more sweets.
I would be happy to discuss this topic, even more happy if someone in this article sees their mistakes and thinks about it.
Source: https://habr.com/ru/post/202878/
All Articles