Ten tips on tackling a thorny infosec issue
A member approached the ISO27k Forum this morning for advice:
"What would you recommend to do if our warnings as ISMS department specialists/auditors are not taken into account?"
What can realistically be done if management isn't paying sufficient attention to information risks that we believe are significant?
This is a thorny issue and not an uncommon challenge, particularly among relatively inexperienced or naïve but eager information risk and security professionals, fresh out of college and still studying hard for their credentials. It can also afflict the greybeards among us: our passion for knocking down information risks can overtake our abilities to convince managers and clients.
Here are ten possible responses to consider:
- First, consider that management might, in fact, be correct! Gosh! Perhaps, given the nature of the field and the personal interests and biases that led us to specialise in infosec in the first place, we are over-stating the risks, and underestimating the true costs of the controls we are proposing. In general, we tend to focus on the negatives. We see those little vulnerabilities that others don't even notice or disregard. We read of or know about threats and incidents that management probably doesn't appreciate. Our understanding of the potential impacts of incidents may be complementary or at odds with management's understanding of the likely business consequences and responses, other priorities and objectives etc. Either or both perspectives may be misguided or plain wrong, while the truth is probably somewhere in the middle. Few issues are as binary as we sometimes think.
Hinson tip: take a break to calm down, review your analysis, reconsider your options and recommendations. Study management's position more carefully. Seek other opinions from those involved and/or from trusted advisors. Try to establish whether there are genuine, valid objections, maybe 'an element of truth' in management's perspective that you have overlooked. Even if you remain convinced that management is plain wrong, you will be in a better position if you understand their perspective. - Make even more effort to describe, explain and explore the risks and controls in terms our colleagues understand. Focus on specifics, matters that 'clearly' (in your considered opinion) should be priorities. Stop simply repeating the same lame arguments and rephrase things. Reapproach the risks from other angles. Use examples, particularly news of actual incidents from the business itself, or from the industry, the locales, or the news media, posing rhetorical questions such as "What stops us suffering something similarly damaging (or even worse) here?". Develop diagrams. Compare and contrast risks (information risks and maybe others). Somehow interest and persuade your colleagues to engage in the analysis and debate, truly considering the possibilities. If appropriate and available, use credible research reports and advice from acknowledged experts to support your position.
Hinson tip: be careful, though. It is all too easy for us to come across as paranoid and ridiculous, over-stating the risks (see point 1) and losing credibility. Please don't become the dreaded "No Department"! At some point, further attempts to explain, persuade or force others to do what we want become counterproductive, so change tack ... - Develop some version of the 'information owner' or 'risk owner' approach. With their understanding and support, have the management/executive team identify 'owners' (middle to senior managers) who are expected/required to both protect 'their' information assets against harm and exploit the value of those assets for the good of the organisation. Emphasise the owners' accountability: if the risks that they are supposed to be protecting the business against actually materialise in the form of damaging incidents, have senior management hold the owners personally to account for their failings - more specifically, their mistaken decisions that evidently failed to avoid or mitigate the risks.
Hinson tip: this is a strategic move, a cultural approach that can be valuable as an integral part of your ISO27k ISMS and approach to risk management in general ... - ... talking of which, actively forge productive relationships and collaborate more closely with your colleagues - not just other infosec pro's within your core team but also those in other risk-related functions (such as Risk Management, Finance, Management, Health and Safety, Product Safety, Compliance, Site Security, Facilities, Loss Prevention, Audit or whatever), since the fundamental principles of risk management are broadly applicable. Work as an extended team. Support each other. Gain respect, support and influence from management as a whole. Look for useful opportunities (such as collaborating on shared interests) and worthwhile suggestions.
Hinson tip: developing strong professional relationships takes time and effort. You shouldn't expect much trust and support from people who don't know you and don't particularly care about you or your objectives. - Look (even harder!) for points of common interest and alignment - for example where the infosec controls you are proposing would generate additional value and options for the organisation besides mitigating the information risks. Supplier assessments, for instance, can cover suppliers' capabilities, strategies, financial stability and other areas in addition to information risks and security and compliance aspects - areas that are worth monitoring on an ongoing basis, not just before contracting with them. Aim for workable compromises leading to a negotiated settlement, and more importantly progress.
Hinson tip: be realistic, negotiating and working towards mutually-acceptable, pragmatic outcomes. You may not achieve exactly what you wanted (some risk will remain), but you will gain respect by tackling this in a business-like manner, rather than being dogmatic and stubborn about it. Any move in the right direction trumps stalemate or regression. - Work on the incident detection and response aspects, given that (in your professional opinion) the risks are untenable, hence incidents are going to occur. Have appropriate backups in place - not just data backups but broader resilience, recovery and contingency arrangements to minimise the operational impacts and business harm caused by incidents. Bolster them, adding specific 'compensating' controls where appropriate.
Hinson tip: if these are the very controls that management is resisting or refusing to implement, you have a problem! Be crystal clear in your assessment of the situation, giving explicit written advice to management, such that if the risks do eventuate and harmful incidents occur, you can at least say 'I told you so', evade the fallout and hopefully be more influential in future. Preventing management from being able to blame you for their failings leads to the next, more proactive suggestion ... - Exploit corporate politics. Get Machiavellian. Manipulate and take advantage of weaker colleagues. Discredit and weaken your opponents. Engineer situations in which you shine in the limelight while others wilt. Use your friends in high places. Go dark. Pose a threat that demands to be taken seriously.
Hinson tip: study Letter to a Prince despite Machiavelli's approach being alien to ethical professionals, strong on personal integrity. It is important to appreciate that our work colleagues may be adept at these underhand techniques, and things are not always as they seem. Know your enemy. Think of this as legitimate social engineering if that helps. - Choose your battles wisely: if you have a specific example of someone patently refusing to address a substantial risk that is way beyond a reasonable level of risk tolerance (especially situations where you clearly advised that a risk needed to be addressed ... but it wasn't, leading to harmful and costly incidents), escalate it explicitly to senior management. If absolutely necessary, put your foot down: make this a point of principle, integrity and professionalism, something on which you will resign if no action is taken. This is obviously a hard line to take but there are occasions in which it is appropriate to push things as far as you possibly can, being prepared to walk away from incompetent, intransigent and unsupportive management.
Hinson tip: way before you get to this point, you need to have worked hard over a substantial period to establish your credibility, competence and hence trustworthiness with management. In practice, this means either becoming part of the executive team, or at least having the genuine support of someone with the CEO's ear and the key to the executive washroom. - If you simply can't or won't walk away from it, as an absolute last resort (perhaps following the previous suggestion, appreciating that you are burning your bridges and are unlikely to remain in post), blow the whistle: after fully considering your [naturally risk-averse] position, find an appropriate mechanism to escalate the issue as far as you possibly can. Raise it with senior, influential stakeholders such as internal and external audit. Notify the owners and regulators or other authorities. Raise it with relevant major customers. Go public through the social and traditional news media, in sheer desperation. Be prepared to explain and argue your position, dealing with the excuses and counterclaims typically made by management as they deny or downplay the issue and make a serious effort to discredit your opinion, challenge your competence and parenthood, and generally dismiss you as an ignorant, misguided fool, an obnoxious trouble-maker - possibly even a threat to society who should be locked up or shot. Seriously.
Hinson tip: before igniting the blue touch-paper, engage your legal team. They will doubtless challenge you to prove your claims, meaning you will need credible evidence to support your assertions. They may also be able to help you find and negotiate a way out that doesn't involve nuclear meltdown and the end of your career. Listen carefully to their wise counsel: it's what they do. - Having read this piece, reconsider your position taking everything into account. Aside from the 9 responses I've described above, I'm sure there are other possibilities, other approaches that may be more appropriate under your specific circumstances. This is not an exhaustive list, merely some guidance on approaches that have worked for me and my clients plus a few that we haven't (yet, thankfully!) had to take.
Hinson tip: this is a cracker of a topic to debate with your colleagues and peers in the office, via social media, at conferences and infosec special interest group meetings (such as ISSA and ISACA). Many will appreciate the dilemmas and a few may well be facing this very issue right now. Talking things over shows that sufferers are not alone, and the infosec community can pull together. Comments and alternative suggestions are very welcome here too. Simply grab the pencil below and have your say.