Information Security screw-up #2 - it's about selling not telling!

Not many Information Security Manager or CISO has the luxury of walking around with a strong mandate from their CEO or Company Board for implementing and enforcing information security processes within their organization. Especially, if a company's bread and butter are not of finance or intellectual property in nature. In this kind of company,  it is unlikely that the people would automatically give a good support on what an information security guy try to do or enforce. People tend to see information security more of a barrier than enabler. 

 
Now, let's the story begin....

This story is about the same "young" Information Security lad, but now has joined a new company as the new regional information security manager. Sadly, he still has the mentality that as an information security person, everyone will do whatever he says when it comes to information security matters.

Mr. Global CISO: <speaking in a team meeting> Ladies and gentlemen, thank you for your contribution. After 6 months of hard work, I'm glad to announce that the Corporate Information Security Policy that we developed has been approved by the Management. Now, it is your task to ensure that this policy is enforced within your area. Please do not hesitate to come to me if you have any difficulties or getting push back.

Young Information Security lad:  Don't worry sir, I will ensure that this is enforced in my region. I don't foresee any issues.....
Right after the meeting, the "young" information security lad open his laptop and start drafting an email:

Information Security vs Auditor - foe or friend?

Auditors - hmm... most of the times, nobody really likes them right? And many people see them as a foe. As an Information Security Professional, I see them more of a friend rather than a foe. Although sometimes we don't really see each other eye to eye, especially when dealing with the "dinosaur" type of them, but most of the times I would say we do have common goals - that is to ensure adequate security measures are in place and enforced. 

This story is about how you could "make use" of auditor to achieve your security goal. Hope this would help bring closer your "friendship" with the "foe" :)

Information Security lad: Mr. CEO, after various incidents of malware outbreaks within the company, we have come to the conclusion that we need to raise the awareness among the employee. Here is the business case for our security awareness campaign. As you can see, we will work together with HR to include this proposed Computer Based Training (CBT) program within the induction training...... blah blah blah....  For this to happen, we will require budget of EUR 20K to setup the CBT etc......

Mr. CEO: I like the idea of that CBT... however, as you may have known, budget is a bit tight right now with all these cost cutting initiatives going on. We don't have extra budget for this...

Information Security lad: But Mr. CEO, we really need to do this. If another outbreak were to happen again, it will cost us more resources handle the situation. At the end of the day, it will cost more than this business case.

Information Security screw-up #1 - security vs uptime

Well, after reading through all of my previous stories, some of you may have had the feeling that I'm telling these stories to show that Information Security professional is always right. No, not really... we do make some mistakes... like everyone, we learn from experiences as well.

This is a story about how one Information Security lad screw-up, when "he was young" :) 

Once upon a time, there was this one "young" Information Security lad who just joined a quite successful .com company. As the new Information Security Manager, he felt like he was the town sheriff and everyone got to listen to him when it comes to security matters. 

It was a weekend, a nice weather weekend indeed, when he received a call from his company. Apparently, there was a virus outbreak in his company. He was called back to office immediately... 

Young Information Security lad: After some investigations, I found the source of the outbreak. It's coming from this server called E-pay. You shall take down this server immediately and have that malware cleaned right away!

Server Admin folk: That would not be a good idea. We can't just shutdown a server like that. I don't think the application owner would be happy with that.. we need to...

Young Information Security lad: <* interrupting *> This is a serious security issue! We must stop this before it spreads around! Shutdown that server immediately!

Server Admin folk: Errr.......