In a recent CSO Magazine story (http://www.csoonline.com/read/080106/col_undercover.html?source=csosecurityleader), an anonymous CSO tells his sad tale of his attempts to bring security into a company.Â Â He reports to an inexperienced CIO who wonâ€™t accept the word or presence of the CSO.Â
Itâ€™s really no different than at many companies where the CSO (or equivalent) is told, â€œDonâ€™t be a barrier.â€Â It seems that CSOâ€™s are better seen and not heard.Â They should be a figurehead.Â (See the Security Management story from July 2001, â€œBeyond the Figurehead FaÃ§ade,â€ http://www.securitymanagement.com/library/001064.html)
As Eugene Spafford said long ago in the security bible, Practical Unix & Internet Security, ‘If you have responsibility for security, but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.’Â That principle is as true today as it was when first said in the early 1990s.
Even Microsoft has repeated it.Â In their Security Risk Management Guide (http://www.microsoft.com/technet/security/topics/complianceandpolicies/secrisk/srsgch01.mspx#EKG), it says, â€œSenior management must unambiguously and enthusiastically support the security risk management process. Without this sponsorship, stakeholders may resist or undermine efforts to use risk management to make the organization more secure. Additionally, without clear executive sponsorship, individual employees may disregard directives for how to perform their jobs or help to protect organizational assets.â€
Of course only techies have read any of the above resources.Â Not business people; not CIOs; not those who are ultimately responsible for security. We are preaching to the choir.
Why is it so hard to get true management backing for security?Â Why do so many organizations think information security is an IT problem and insist on burying information security under IT?Â Why does it take a major security breach to get managementâ€™s attention to security vulnerabilities?
Our ideas in Security 2.0 address this problem.Â The third element presents the tools, skills, attitudes and experiences required for a Security 2.0 professional.Â To be successful and have full backing from management, you must have critical non-technical skills such as psychology, leadership, business, and communications.Â This is a paradigm shift that is required for Security 2.0 professionals.Â Â Â Â Â Â Â Â Â Â Â Â Â
In the mean time, remain vigilant, persevere through it, and continually find ways to show the value of security.Â You should also learn the business, be a competent communicator, and continually sell the necessity of security.Â There is no technical solution to this problem; nothing a vendor can sell you; nothing the government can dictate.Â The good news is that you are not alone â€“ and by coming together, we can help each other improve. It starts with one person making a stand, then the rest of us grow stronger and more effective!
When will this insanity end?Â With Security 2.0. The time is now for us to shift the focus, have valuable points to share and make our cases effectively. This is going to be an exciting journey!Â By working together and helping each other, we all become stronger.
[Note from Michael:Â We look forward to sharing our ideas in the soon to be re-released â€œCatalyst Communityâ€ â€“ currently undergoing some testing for configuration. ]