by Michael Starks
Dear Chief Executive Officer,
I want to help.
When you hired me as a security professional, I had certain expectations. I expected that you would come to me for guidance when evaluating new technologies. I expected that you would solicit my feedback when engaging in risky ventures. I expected that, as a professional, my security expertise would be valued.
I want to help you pass audits. In order to do that, you need to understand that passing the audit is not the actual goal. To pass audits, we need to have a security program that is perpetually healthy–one that creates and builds a security culture.Â It needs to be healthy enough where passing audits is a natural consequence of how we handle information.
I want to help you stay safe from attack. In order to do that, we need to not only perform risk analysis, but also act on the results. We need to take these results and turn them into action plans. We will sometimes need a budget to make these things happen.
I want to help you avoid fines, bad publicity and more regulations. In order to do that, we will need to actually enforce the security policy we already have, and which you signed off on. Yes, that means consequences for those who willingly violate.
I just wanted you to know that when you put systems into production and say, “we’ll do the security stuff later,” I can’t help you in the best way possible. When you start audit activities two months before the audit, then try to negotiate away the exceptions, I can’t help you in the best way possible. And when you don’t approve a critical patch on a production system because it might break something, I can’t help you in the best way possible.
I want to help you sell your product. Â In order to do that, the business has to stay safe enough to meet your goals.Â Let’s work together to find creative ways to protect the business.
Yours in security,
The Security Professional