Original URL: http://www.theregister.co.uk/2002/08/23/an_open_letter/
An open letter to the CIO
You're a dork
Dear esteemed corporate leader:
By the time you read this, our summer vacations will be winding down, the long days of summer will rapidly recede into memory, and, for those of us slaving away in the corporate trenches, work will begin to pick up again.
Given that summer may be a time for forgetting the drudgery of work (particularly for vacationally-endowed executives), on behalf of security managers everywhere, I humbly offer this epistle as a brief refresher for our corporate leaders as we head back to the business of doing business. I hope that this letter will help jog their memories as to what our duties truly are, and make it more bearable for them when their respective security managers begin to pester them with dire warnings of impending network doom and requests for ever-more increases in security budgets. May it also help our beleaguered security managers get some real support as the fall begins.
Security managers only seem paranoid
You may think that we believe threats lurk behind every router, hub and user, and sometimes to us it seems that way. However, we realize that repeated, unsubstantiated gloom-and-doom warnings about cyber-terrorism, viruses, and hackers will only make you ignore us, much like we ignore those ubiquitous NIPC warnings. Therefore, we pledge to only report tangible, confirmed items that present a pressing danger to the continued operation of the company. In return, we ask that you acknowledge our advice, heed our warnings, and support us in the best interests of the company.
Furthermore, while you may not want us to be involved in the policy approval process, we ask to be included as trusted advisors when such items are discussed and that you allow us to make informed comments as necessary. After all, you hired us because our credentials were sound, our knowledge deep, and our abilities strong. And we're still employed because you trust us to do the right thing. That includes giving you objective, informed advice on security matters when appropriate. It's up to you to take our counsel as the experts in this field and make the right decision for the company's best interests.
Security is more than technology components
Our three guiding principles are to serve the business by ensuring the confidentiality, integrity, and availability of the systems under our responsibility. As good security practitioners, it's our duty to think like the bad guys, and figure out how they might cause damage to our corporate information environment. Sure, we know that our firewalls are good and are updated regularly, but simply spending money on technological solutions will not ensure the security of the enterprise. If we do not have redundancy built into our networks, if we continue to use software that's full of recurring security holes, if we continue to treat security as a secondary issue, our organizations' data will continue to be at risk.
Security professionals know that the people are inevitably the weakest link in the security chain. We can minimize the negative affects of human error if we have your support in designing well-designed policies and procedures. We must be able to count on your support when it's necessary for us to implement and enforce them. Organizations place a premium on employee education and knowledge for their success, this should extend to security as well.
Our calls for better security education amongst employees aren't to fuel our ego or increase our power in the company, they are merely to ensure that security is considered and implemented throughout our corporate environment. Just as you would ask all stakeholders to take responsibility for the success of the enterprise, we would ask that all employees take responsibility for the security of the organization's crucial data. It doesn't cost much to raise awareness, and in the long run, it's a great return on investment.
We think - we hope - you would prefer to have problems prevented through effective education and planning before the fact than through costly damage control and repair after the fact, when it will likely disrupt operations, cost more money, be harder to address, and endanger our revenue stream, not to mention embarrass us in the eyes of our shareholders and the media.
Sweat more in training, bleed less in combat
If you happen to wander the corridors around our work areas and see us surfing the Net, rest assured, we aren't goofing off. If you hear our hoots of glee from the test lab when playing around with new software or hardware, trust us, we're not playing frivolous games. Believe it or not, we're doing research.
Computer security is a rapidly changing field. New vulnerabilities are announced everyday. New exploits to take advantage of those bugs inevitably follow soon after. To be truly effective security guardians, we need to know not only what we're up against but how to defend against it. That means we have to be on the prowl for new attack tools and hacker news, so that we can be better prepared to respond if and when such attacks occur.
We take it upon ourselves to learn the tools and techniques of the bad guys, and apply them against our own systems first to see where they might be effective at causing damage to our company. Knowing that, we can then prepare and protect ourselves accordingly. This may sound a little kooky or far-fetched, and it is certainly unconventional in the button-down corporate environment, but you'll thank us when the next major virus, bug, or exploit passes us by unscathed.
A distinct, trusted entity
We're not the secret police. Our primary customer is the company and its employees. We can't be effective without their participation and support, and that includes working well with product teams and business unit leaders. As such, we pledge to be objective, trusted third parties for the company - just like the legal and HR departments - and will work to earn and keep their trust by being available, easy to work with, professional, and helpful. While we may report to the CIO, unless we're free to work with other business units and departments without multiple layers of bureaucratic stovepipes, we'll never be perceived as anything but a bunch of glorified geeks trying their best to make it difficult to accomplish anything in the company...which is not the case. We're here to help, and work with people to move the company ahead, not slow it down. We're business assurance specialists, not obstacles to profitability.
By the same token, we need the support of your fellow corporate muckety-mucks to ensure that we receive the support and respect that we need to do our jobs as effectively as possible. This may mean giving us the authority to enforce security policies. It may mean allowing us to participate in the education of the end users. It may mean giving security personnel a higher profile in the company. However it is done, by integrating us into the company and giving us the respect and status our work deserves, you will make it easier for us to do our jobs. And that can only benefit everyone.
Autumn always seems to be a time of renewal in the workplace. I hope that these few points will explain how I plan to build and administer my security team this coming year. It may sound strange, but I do want to work with you and make our company's information environment much more secure, so we can continue to be profitable, even in today's goofy market.
Thanks for listening. See you by the water cooler.
© 2002 SecurityFocus.com, all rights reserved.