Shostack + Friends Blog Archive

 

Making a Positive Impression With The Business

pogo.jpg
Larry Hughes has a great post over on Riskbloggers with tips on how to demonstrate that security is invested in the success of the business. There’s some really good stuff here. Especially these two:

Say “no” by saying “yes.” Somebody wants to uncork that remote access bottle, and let a thousand new contractors VPN into the corporate net from anywhere in the world with their own laptops? Of course you’d like to help them explore how they can meet their objectives in a way that’s neutral to the business’ security posture.

I can’t agree with this one more. The only thing I’ve seen that gets more traction and people playing nice with us is a major security event. All saying no does is to make things more confrontational and put everyone in a resistant mood. So you want to avoid that, unless of course you like being called “Dr. No” [link to http://blogs.msdn.com/sdl/archive/2007/08/30/dr-no-and-risk-management.aspx no longer works]. By saying “How can I help?”, you are putting yourself in a position where you are making things happen, not being a roadblock.

Learn when to say “That’s good enough for now.” Scratching and clawing for every inch of ground this time, because you know how hard it’ll be next time, only leaves you with bloody fingernails. Nobody wants to buy things from people with bloody fingernails.

As Ken Van Wyck and Mark Graff remind us Secure Coding [link to http://securecoding.org/ no longer works], it’s not about being secure. It’s about being secure enough. It’s never going to be perfect, so the question is whether there is enough protection from threats for the foreseeable future.
This is similar to how we need need to understand how businesses work. But we also need to understand how people work and learn how to interact with them better. As usual the people are indeed the weakest link, but in this case, it is us.

Originally published by arthur on 26 Sep 2007
Last modified on 17 Jul 2017
Categories:   information security  

One comment on "Making a Positive Impression With The Business"

  • Ian says:
    26 Sep 2007 at 10:29 am

    So true: its about engaging the business folks and being an enabler. Learning the problems and coming up with innovative, cost effective and reasonably secure solutions.
    Not to be confused with saying yes to everything, setting high expectations and then underdelivering, which happens a lot…
    And BTW great pic: Pogo rocks!

Comments are closed.