March 10

An Open Letter to CEOs

pen

by Michael Starks

Dear Chief Executive Officer,

I want to help.

When you hired me as a security professional, I had certain expectations. I expected that you would come to me for guidance when evaluating new technologies. I expected that you would solicit my feedback when engaging in risky ventures. I expected that, as a professional, my security expertise would be valued.

I want to help you pass audits. In order to do that, you need to understand that passing the audit is not the actual goal. To pass audits, we need to have a security program that is perpetually healthy–one that creates and builds a security culture.  It needs to be healthy enough where passing audits is a natural consequence of how we handle information.

I want to help you stay safe from attack. In order to do that, we need to not only perform risk analysis, but also act on the results. We need to take these results and turn them into action plans. We will sometimes need a budget to make these things happen.

I want to help you avoid fines, bad publicity and more regulations. In order to do that, we will need to actually enforce the security policy we already have, and which you signed off on. Yes, that means consequences for those who willingly violate.

I just wanted you to know that when you put systems into production and say, “we’ll do the security stuff later,” I can’t help you in the best way possible. When you start audit activities two months before the audit, then try to negotiate away the exceptions, I can’t help you in the best way possible. And when you don’t approve a critical patch on a production system because it might break something, I can’t help you in the best way possible.

I want to help you sell your product.  In order to do that, the business has to stay safe enough to meet your goals.  Let’s work together to find creative ways to protect the business.

Yours in security,

The Security Professional


Tags


You may also like

Are you using frameworks properly?

Leadership and communication are actually layers, not levels

  1. Dear Security Professional,

    Please work with the CIO on this. She is the person responsible for managing the issues you are concerned about.

    Thanks for your help,

    CEO

    In other words – Ever get pigeonholed in your own company? 😉

Comments are closed.
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!