What you will learn from this tip: How a simple document can hold management responsible for security and encourage
them to comply with security policies.
Convincing management to comply with security policies and regulations is a common issue for many security practitioners. The problem is that managers don't consider security their responsibility. So how do you get business units, system and application owners to comply with policy and regulations? The answer is simple. Make sure they know they are the owners of these systems. If that fails, make them accountable for risk.
Back in the old days of the industrial age it was clear to everyone that management had responsibility for the factory and the machinery. With huge investments in these assets, management had a fiduciary responsibility to protect corporate assets.
Fast forward to the 21st century and for many companies these assets are databases, applications and business systems. Sure, there are still manufacturing plants with large machinery, but even there computer control systems are a big part of the picture. With intellectual property, business critical data and applications in many cases representing more than 50% of a company's assets, management has the duty to protect these assets. Your job is to help them first realize this truth and secondly to offer your professional security skills to help protect the assets.
You may need to have several discussions with management to ascertain who "owns" specific applications and systems. If it is not entirely clear who is responsible, ask the following questions:
- Who has the authority to shutdown or decommission the application or system?
- Who commissioned the system or application to begin with?
- Who currently makes management decisions about the system or application and who do they work for?
- If there was a public incident involving the system or application, who would be in charge of handling the business response and act as the point person?
Sometimes executive management is not identified with certain products or systems. In these cases, the best you can do is identify their direct reports that are at least culpable. If the direct reports can't reply or won't comply, then naturally there is a need to go to their management. So you may find yourself talking with executive management after all.
Once the application and system owners are identified, you must present in common layman terms the policy or regulatory issues. Many failed attempts to get management support can be attributed to security practitioners' inability to clearly explain the problem or solution. You have communicated the issue if an executive can repeat the problem in his own terms.
After all of this legwork, you may still lack management's support. Worst still, regulators, customers or auditors may be clamoring for a fix. Without the budget, cooperation, resources or ability to correct an issue, it would seem you are no better off than you were before, right? Perhaps you are feeling queasy at this point. It's time to turn to BARF -- the Business Acceptance of Risk Form.
The BARF is a great way to get management's support when all else has failed. It is a security practitioner's "ace in the hole." For the form to be effective it must clearly spell out the risks associated with not proceeding with security's recommendations. It should also detail the efforts to date by the security group to correct the issue.
The form is a simple risk acceptance memo that describes the security problem, identifies the business owner of the system(s), suggests actions to be taken, the rationale given by management for not taking the actions and a clear statement of the willingness to accept the risk. Language like, " I ,
At this point the security department has taken the issue as far as it can. In many cases the business owner will not sign the form. They will have a change of heart and become willing to take the actions as recommended by the security department. If the business owner is unwilling to sign the form and unwilling to follow the recommendations, then the next option is to take the form to the legal, compliance or financial risk executive. This is typically the general counsel, CCO or CFO.
The first question an executive may ask is why you are coming to them. The answer is again simple. As the security practitioner, you don't have the authority to accept risks for the business and the folks who do have the authority won't comply or accept the risk. The executive is the last remaining person with the authority to accept such risks for the company. The executive will typically speak with the business owner and try to end the impasse. In some cases they may sign the risk form. I have never seen this approach fail, and if it does fail, there is a paper trail that demonstrates the security practitioner's many attempts to resolve the issue. No one can fault you for that.
If used properly, the business acceptance of risk form can place the risk of non-compliance with the rightful owner and relieve the security department from accepting risk that is not theirs to begin with.
- Learn how policies can bring management into the information security loop.
- Is your company's information security resting on the wrong shoulders?
- Institutionalize risk management for ongoing management support.
George Wrenn, CISSP, ISSEP, is a technical editor for our sister publication Information Security magazine and a security director at a financial services firm. He's also a graduate fellow at the Massachusetts Institute of Technology.