Information Security screw-up #3 - it's all about financial sense

Many of us as an Information Security Professionals would love to have the best of the breed security technologies in place. And, most of us are paranoid and want things to be as secure as possible. However, that's not how the real world works. Not in enterprise environment at least. And the current state of world economic is not helping as well, and adding insult to injury.

This story is about the same "young" Information Security lad....

Mr. Global CISO:  Ok, team. Now it is again the time for us to propose our budget for next year. I expect each of you to prepare a budget proposal for your region and come back to me by end of this week. Then we shall discuss. What you want to do with your region, I'll leave it to you, as long as it makes sense.

Young Information Security lad: No worry sir. You'll get it by the end of the week.

Right after the meeting, the "young" information security lad open his laptop and starts to list down all the potential information security projects. After giving some thought, he decided to give the "laptop encryption" project the highest priority.

Mr. Global CISO: So, what do you have for me?

Young Information Security lad:  Mr. Global CISO, here are the projects that I have in mind for my region. I would like to highlight to you this particular project - laptop encryption...

Mr. Global CISO: That's sound interesting. Looking at your proposal, you proposed to have all the laptops - that would be around 50,000 laptops in your region, as it would cost 200EUR for each laptop, that would be1 mil. EUR in total. Now, imagine I'm the CEO. Try convince me why should I give you this 1 mil. EUR?

Information Security screw-up #2 - it's about selling not telling!

Not many Information Security Manager or CISO has the luxury of walking around with a strong mandate from their CEO or Company Board for implementing and enforcing information security processes within their organization. Especially, if a company's bread and butter are not of finance or intellectual property in nature. In this kind of company,  it is unlikely that the people would automatically give a good support on what an information security guy try to do or enforce. People tend to see information security more of a barrier than enabler. 

 
Now, let's the story begin....

This story is about the same "young" Information Security lad, but now has joined a new company as the new regional information security manager. Sadly, he still has the mentality that as an information security person, everyone will do whatever he says when it comes to information security matters.

Mr. Global CISO: <speaking in a team meeting> Ladies and gentlemen, thank you for your contribution. After 6 months of hard work, I'm glad to announce that the Corporate Information Security Policy that we developed has been approved by the Management. Now, it is your task to ensure that this policy is enforced within your area. Please do not hesitate to come to me if you have any difficulties or getting push back.

Young Information Security lad:  Don't worry sir, I will ensure that this is enforced in my region. I don't foresee any issues.....
Right after the meeting, the "young" information security lad open his laptop and start drafting an email:

Information Security screw-up #1 - security vs uptime

Well, after reading through all of my previous stories, some of you may have had the feeling that I'm telling these stories to show that Information Security professional is always right. No, not really... we do make some mistakes... like everyone, we learn from experiences as well.

This is a story about how one Information Security lad screw-up, when "he was young" :) 

Once upon a time, there was this one "young" Information Security lad who just joined a quite successful .com company. As the new Information Security Manager, he felt like he was the town sheriff and everyone got to listen to him when it comes to security matters. 

It was a weekend, a nice weather weekend indeed, when he received a call from his company. Apparently, there was a virus outbreak in his company. He was called back to office immediately... 

Young Information Security lad: After some investigations, I found the source of the outbreak. It's coming from this server called E-pay. You shall take down this server immediately and have that malware cleaned right away!

Server Admin folk: That would not be a good idea. We can't just shutdown a server like that. I don't think the application owner would be happy with that.. we need to...

Young Information Security lad: <* interrupting *> This is a serious security issue! We must stop this before it spreads around! Shutdown that server immediately!

Server Admin folk: Errr.......