Security Basics mailing list archives

Re: Senior management really concerns about security?

From: "Kurt Buff" <kurt.buff () gmail com>
Date: Thu, 5 Jun 2008 08:45:18 -0700

You have basically three options:

1) Find a better company to work for.

2) Do what they ask, without question, and hope for the best. This
course is likely to lead, sooner rather than later, to the first
option, because either the company will fold, or you will be blamed
for the security breach.

3) Document your concerns - write an email or whitepaper outlining
your concerns, with as many specifics as you can, including a
representation that the document and the tasks under consideration
should be approved by the company's legal staff. Present it for the
responsible manager's signature, with the acknowledgment that you will
implement it if signed, and include a clause that you are not to be
held responsible if a breach of security happens, if the order has
been executed with due care. If management is truly stupid, this
course is quite likely to lead, sooner rather than later, and perhaps
involuntarily, to the first option. If management is smart, and you do
a good job of presenting your concerns, you will have benefited both
yourself and the company. Of course, you had better be correct that
what they are asking for is worth this level of concern, because if it
is not, then option 1 is again most likely to be your path, and again
it will most likely be involuntary.

Kurt


On Thu, Jun 5, 2008 at 2:36 AM,  <acwang0048 () gmail com> wrote:

Hi all,


Just want to ask whether you guys have encountered some unreasonable requests from your senior management (e.g. ceo) 
whereby you as an IT personnel understands the potential security risks involved. But then, when you try to explain 
the security risks or consequence to them, they won't listen and just tell you they need this because of business 
function.


At the end, you can't do anything but to adhere what they request. But then, this leads to so many exceptions created 
for senior management.


Well, this is what I am currently facing!!!


Anyone has a better way to deal with this?


Cheers,

Wang

Current thread:

Senior management really concerns about security? acwang0048 (Jun 05)
- RE: Senior management really concerns about security? CISO (Jun 05)
  - Re: Senior management really concerns about security? Adriel Desautels (Jun 05)
- Re: Senior management really concerns about security? romain (Jun 05)
- Re: Senior management really concerns about security? Kurt Buff (Jun 05)
- RE: Senior management really concerns about security? Sinha, Amitabh (Amit) (Jun 05)
- Re: Senior management really concerns about security? Kola Salami (Jun 05)
- Re: Senior management really concerns about security? Shawn A. Corrello (Jun 05)
- Re: Senior management really concerns about security? Adriel Desautels (Jun 05)
- RE: Senior management really concerns about security? Daniel I. Didier (Jun 05)
- RE: Senior management really concerns about security? Adewale, Akin (IT Services - Infosec Team) (Jun 06)
  - Re: Senior management really concerns about security? afam mbanefo (Jun 06)
- Re: Senior management really concerns about security? Anjar Priandoyo (Jun 13)