Monday, March 24, 2008
Stupid IT Executive thinking creates insecurity...
I was reading a great posting by Matt Flynn on what drives executive sponsorship when I concluded that sometimes having executive sponsorship for projects is a worst practice...
Enterprises at most levels don't truly understand risk management, or at least from a security perspective. The project management and process weenie crowds think of risk as the ability to deliver mediocrity based on an arbitrary derived date made up by the business in order to meet perception management expectations.
Have you ever seen some well meaning individual within a large enterprise attempt to sell security? They will most certainly be beat into submission by bean counters since security projects may not always have an ROI. Why does security always have to be the step-child of an organization and not leverage the trust model is so dearly attempts to steward? Security folks tend to be the most trusted individuals within the enterprise at one level in that they are charged with protecting the assets of the enterprise in an ethical manner but can't get assets to protect the assets in an ethical manner and have to resort to fear, uncertainty and doubt in order to be successful. Should enterprises force security people to do best practices when the best practices are unethical?
What is even more problematic is that in order for security people to accomplish their mission, they have to sell not only the solution, but give away part of their soul along the way. When a security person decides that he doesn't want to sell his soul any longer, the process weenies and bean counters rejoice when in reality it is a sad day for us all.
If a well-meaning individual puts a proposal on the table to solve for problem X and quantifies not only the risk but also the costs and accurately calculates that the amount of money spent to solve the problem is cheap, should he be rewarded or confronted with additional impediments? When the security person stops selling, the bean counters will issue a proclamation saying that I guess we didn't really need this solution and will pat themselves on the back. Since when does the need for something become coupled to the individual selling it...
| | View blog reactionsEnterprises at most levels don't truly understand risk management, or at least from a security perspective. The project management and process weenie crowds think of risk as the ability to deliver mediocrity based on an arbitrary derived date made up by the business in order to meet perception management expectations.
Have you ever seen some well meaning individual within a large enterprise attempt to sell security? They will most certainly be beat into submission by bean counters since security projects may not always have an ROI. Why does security always have to be the step-child of an organization and not leverage the trust model is so dearly attempts to steward? Security folks tend to be the most trusted individuals within the enterprise at one level in that they are charged with protecting the assets of the enterprise in an ethical manner but can't get assets to protect the assets in an ethical manner and have to resort to fear, uncertainty and doubt in order to be successful. Should enterprises force security people to do best practices when the best practices are unethical?
What is even more problematic is that in order for security people to accomplish their mission, they have to sell not only the solution, but give away part of their soul along the way. When a security person decides that he doesn't want to sell his soul any longer, the process weenies and bean counters rejoice when in reality it is a sad day for us all.
If a well-meaning individual puts a proposal on the table to solve for problem X and quantifies not only the risk but also the costs and accurately calculates that the amount of money spent to solve the problem is cheap, should he be rewarded or confronted with additional impediments? When the security person stops selling, the bean counters will issue a proclamation saying that I guess we didn't really need this solution and will pat themselves on the back. Since when does the need for something become coupled to the individual selling it...
