THE SQUEAKY WHEEL doesn't always get the grease. Sometimes it gets replaced." This fortune cookie quote nicely sums up the career cycles of security professionals. Even in the most well-oiled corporate machine, the security officer may sometimes feel compelled to sound an alarm when the security pressure gets hot enough. That leads to friction with other executives who view crash-and-burn stories as a cynical attempt by the CSO to extort an increased budget or make a political landgrab. Sometimes it is. So what's the sometimes panicked CSO to do?
Avoid the temptation to be an alarmist. It's true that many security professionals have developed a taste for hyperbole. Becoming an alarmist is an occupational hazard of the security profession because it does work (at least at first). Like other targets of scare tactics though, the victims will eventually build up a tolerance to these The Sky Is Falling warnings. I call these Chicken Little speeches. I've also heard them referred to as FUD (Fear, Uncertainty and Doubt). Unfortunately, dropping the melodrama often means losing the funding for a fix and necessitates a compensatory strategy. The challenge for you is to get attention in a non-volatile yet effective way.
Treat security like a business. A better approach to handling the P&L types is to beat them at their own game by presenting security as a business decision instead of an all-or-nothing dogma. Frame the discussion around the company's capacity to absorb risk versus the increased cost of doing business. This encourages management to emotionally consider the downside before a problem ever happens and, more important, creates a buy-in for the resulting decision.
Create a measurement scheme. Experienced businesspeople manage to the deltas (variance from an expected number), not to absolute numbers. That works as well for security as it does for sales, headcount or network bandwidth. Modelling security by showing risk on a colour-coded chart or on a numeric yardstick hides the distracting detail while highlighting the key business drivers and foreshadowing the dangers.
Manage expectations. The range of choices should be calibrated to best practices in the company's business area. Banks should have more intense computer security than say, car dealers. That's just common sense; but if you ask the managers of both businesses how much security they want, they want it all — that is, until they see the price tag. Providing industry standard comparisons is an important piece for setting up a comfort zone for decision making.
Provide regular feedback on progress of security goals. This is where measurement comes in handy. The CSO can even report on areas that he has no control over (which, of course, becomes a form of control). The emphasis should not be on "tattling" but on how well the company is doing against its own goals.
Recommend just enough security. Too much security is disruptive. Department heads like to ask for more than they need so they end up getting what they really want. Security officers that haggle like this are setting themselves up for a credibility problem just as much as the alarmists are.
Avoid "trust me" arguments. Chicken Little talk is counterproductive because it forces management to treat security as an either-or proposition instead of as a wide range of choices. Since most executives don't have enough experience to make a judgment, they are forced to rely on the security officer's appraisal of the risks. This reduces the tough problems down to: "Do I have confidence in the security guy?" As tempting as it is to be an authority figure and cut through the discussion with a pronouncement, it's just not a smart career move.
What's in it for the CSO? At a minimum, job longevity. Ideally, it leads to a more harmonious and less stressful work environment. When security people stop resorting to voodoo mumbo jumbo to scare up what they want, they'll spend less time worrying about getting stuck. Life for the chief security officer will be a lot calmer if a problem never becomes a crisis and if the solution doesn't require the blood of a sacrificial chicken.
David H. Holtzman, former CTO of Network Solutions, also worked as a cryptographic analyst with the US Navy and an intelligence analyst at DEFSMAC.