James Champy once said, “Many executives are insulated from reality and consequently don’t know what the hell is going on.” I can’t think of a better real-world example of this than management’s relationship with information security. It’s a problem that affects practically every business, every non-profit and every government agency. And it’s also one of the greatest barriers to success we have in our jobs as security professionals.
This problem will be a thing of the past in a few decades, but right now, we have a lot of old-school managers faced with new world technology-based realities — and they often don’t mix well.
But who’s really at fault here? Do we blame management for burying their heads in the sand, claiming that there’s nothing on the network of any value that the bad guys would want? Or, do we take a good look at ourselves and consider that perhaps we’re part of the problem? I think the true answer is a lot of both.
Everyone — management, IT, physical security, you name it — has their own opinions and beliefs about information security. Some see it as a hindrance, others as a side-effect of big government regulations, and yet others as an opportunity for job security. Likewise, everyone has their own perceived risks. What seems high-priority to a network administrator may be off the radar of the same organization’s operations manager. Opinions and beliefs aside, information security is a business issue that deserves to be treated like any other serious function — but how do you get that message across to those who make the final decisions?