RE: Senior management really concerns about security?

["Sinha, Amitabh (Amit)" <Amit.Sinha () lsi com>]

Security professionals are in the business of supporting "The Business". If senior management is asking for something 
un-reasonable, have a documented conversation explaining to them the risks it exposes, how it violates the existing 
corporate security policy, and potentially a recommended alternate to achieve the similar goal without doing it the 
un-reasonable way. If "The Business" is willing to accept the risks  then just do it. You have done your part to let 
them know the risk and that's all that you can do - OR look for another job and pray that the upper management is 
security conscious.

Good Luck,
Amit

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of acwang0048 () gmail com
Sent: Thursday, June 05, 2008 5:36 AM
To: security-basics () securityfocus com
Subject: Senior management really concerns about security?

Hi all,

Just want to ask whether you guys have encountered some unreasonable requests from your senior management (e.g. ceo) 
whereby you as an IT personnel understands the potential security risks involved. But then, when you try to explain the 
security risks or consequence to them, they won't listen and just tell you they need this because of business function.

At the end, you can't do anything but to adhere what they request. But then, this leads to so many exceptions created 
for senior management.

Well, this is what I am currently facing!!!

Anyone has a better way to deal with this?

Cheers,
Wang