In a past life I worked as a consultant for a very large global computer services firm. I was a lead security engineer and one of the first responders for incidents and virus outbreaks for a large, Fortune 100 customer.
The powers that be spent a significant amount of time and effort sucking up to the customer. The customer said ‘jump’ and we asked ‘how high?’ That included decisions about computer and network security and how to mitigate and resolve security breaches.
Well, leave it to me to be the rebel who said “um, didn’t they hire US to manage their security?” As far as I was concerned the value that we brought to the table and the reason they paid us was to let THEM know how to secure their computers and network, and to effectively and efficiently mitigate and resolve security breaches.
So, when I read a recent blog post titled ‘Why Not Leave Security to the Experts?’ it resonated with me. Whether its internal employees or external contracted resources, management needs to respect that security is a full-time role and let those who are focused on emerging attack techniques and trained in avoiding or blocking them do the job they were hired to do.
Here is the bottom line I learned while watching my management suck up to our large customer: they may like how compliant you are when you follow their direction and do what they ask no matter how stupid it is or how contrary it is to protecting and securing the network, but they also have short memories. When the proverbial ‘stuff’ hits the fan you will still be held responsible for the failed security and the customer will conveniently forget that they’re the ones who requested that hole in the firewall, or whatever.
I am not suggesting security pros go around being cocky or abrasive- but confident and assertive is OK. You will prove your value more and establish yourself as an indispensible asset by firmly doing the job you were hired to do and not catering to the whims of those who don’t know what they’re doing.
This is true throughout IT and throughout information security. It has particular application these days though with VoIP and unified communications. Companies are racing to deploy unified communications technologies, but slow to understand the security risks or invest in the controls and technologies to secure it. When the system is breached, you will be the scapebgoat taking the heat so do the right thing and stand your ground to ensure management understands the risks involved.