Straight talk to the rescue
Want to be a hero in your environment? Then align your company's actual threats with defenses that address them. Could anything be simpler?
Here's what I mean: Suppose your company is most often compromised by client-side, end-user-initiated malware as described above. Sit calmly at the conference table and smile. Quietly observe that even though longer and more complex passwords are a good thing, even though disk encryption is a good thing, even though getting rid of weaker authentication protocols is a good thing -- would any of them have stopped the intruder that just hacked your system from succeeding?
Then shout, "No!" and slam your hand on the table.
Tell them that, like relationships, the best indicator of future behavior is past behavior. If you're being broken into mostly because your systems contain unpatched Java, well, by God, start making sure Java is patched. To extend that example: If 50 percent of your exploitation cases involve unpatched Java, and 49 percent involve users running things they shouldn't, then every other hacking scenario together makes up a mere 1 percent of attacks.
Say it in slides -- five of them, to be exact
Management likes pictures. All you need is five PowerPoint slides. On the first, rank the various threats in your organization by their risk level:
- Unpatched software
- Inadvertently downloaded malware
- Everything else
On the second slide, show how one or two defenses will get rid of the No. 1 risk. For example, if you are able to patch Java quickly, you can eliminate 50 percent of all successful hacking attacks against your company. Slide No. 3 should show defenses against the secondmost severe risk. Then, on the fourth slide, list out all the risks that make up the remaining 1 percent. On the last slide, add up the cost of all the defenses that would be required to eliminate that 1 percent risk.
Then ask, "Which defense do you want me to spend money on?"
Too patronizing? Maybe. But take my word for it, subtlety doesn't work. Whatever you do, don't worry about whose pet project you may be stepping on. Be a hero. Be like Jack Nicholson in "A Few Good Men": "You can't handle the truth!"
I can tell you from firsthand experience that senior management hasn't been given -- or at least hasn't absorbed -- the truth of what really decreases risk. If they had, I wouldn't have to give my talk so often.
This story, "Your guide to becoming a true security hero," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.