Throwing in the towel

I was saddened to hear of an InfoSec colleague who met with overwhelming frustration at work:

After two years of dealing with such nonsense, I was forced to resign
within two months of discovering a serious security issue which possibly
jeopardized overseas operations. I have since found out that they are
selling the company and didn’t want any who knew the problems around.

Thank you.
Speaking as an auditor who occasionally does “due diligence” with respect to take-overs, you’ve just shown another use for LinkedIn – contacting ex-employees to find out about such problems.

Certainly a lot of employees leaving or being fired in the couple of years before the pending acquisition is a red flags, eh?

He goes on:

In the end working in the security field is challenging, however much has
to do with the team. If you are dealing with willfully ignorant executives
then you should try to find another position. An old timer once said to me,
“There is no fix for stupid”.

There’s no fix for a lot of things, but not all conflicts are because of ‘stupid’.

In a recent issue of the ISSA, Donn Parker had a wonderful article pointing out another downside of the Risk Analysis methods we were taught as part of the CISSP/CISA curriculum and are embedded in things like ISO-27001. We express “risk” as a series of negatives, of threat to the organization and possibly even to the executives themselves. The ISACA literature such as their briefings to board and executive are full of implied personal threats.

Of course they don’t like this; of course they don’t want to hear this.

“Information security practitioners should be engaged in
and identified with a positive profession of diligence-based
information security rather than a negative risk-based
profession attempting to measure security by conjecture of
the future dangers of crime, abuse, misuse, errors, and
omissions that attempt to demonstrate dramatic failure of
protection efforts.”

Donn opens with the question:

“Do you wish to have your manager introduce you to others
as ‘The expert on cybercrime, viruses, and worms?’ or ‘The
expert helping us protect our information, systems, and
networks?’ By emphasizing a positive diligence approach,
management is more likely to be happier and more supportive
of security and view information security professionals as
positive contributors to the organization’s image, looking
out for its business interests.”

Well do you?

Ask yourself if the impression you give to your senior management, the board and executive, is one that THEY can only see as a a positive. Your intention may be to “make things better”, but how are you phrasing that?

In general, I don’t think managers are egoistic, illogical creatures (though, to be frank, I have met one or two in my 30+ years of consulting and dealing with many hundreds of companies). Its that they
have different objectives and a different working context than you[2].
Yes, that may be to sell the firm off quickly.

So, really, they are no better communicators that you are. You keep sending them what are to them FUD-messages; they send you messages that make them look egoistic, illogical, stupid, and obstructionist in your eyes.

I’ve said repeatedly that we need an 11th domain for the CISSP. Some people object to names like “Social Engineering” because of its existing connotations. But ignorance of good psychology, good presentation skills, “selling” your ideas and proposals and communicating your concerns are obviously something that is a concern to all of us. Such skills are every bit as important as the ‘technical’ skills in the other domains.

If you can’t sell your skills, your ideas, your concerns, then you’ve just another ‘grunt’ doing what he’s told and taking home his pay. You may as well be flipping burgers or stacking shelves.

And, I’m sorry to say, that if you get upset that your FUD-focused attempts to scare management into doing what you want fail, you have only yourself to blame. There’s a saying about people who keep doing something that doesn’t work. Go google for it.

Enhanced by Zemanta

About the author

Security Evangelist

Leave a Reply