Information Security and Ignorant Management?

jmahler asks: "Suppose you work for a fairly decent-sized (but independent) CPA firm in the IT department. Suppose further that you have repeatedly warned the partners of the dangers of having unsecured laptops in the field, and have requested to replace the very thin, and rapidly aging line of defense (and functionality) currently protecting your network from all of the mean and nasty folks on the Internet. Let's continue, then, to suppose that the partners have all agreed to ignore every recommendation put forward regardless of cost or benefit. Is there a good way, beyond memos and emails, to inform the partnership that the water in which they tread could quickly become dangerous? What about absolving ourselves of responsibility for data theft and loss from a laptop 'disappearance' in the field?"

Did you also propose solutions/steps?

[TheLink]

Because many bosses don't like being posed problems if there aren't convenient options provided at the same time.

Or the options proposed are just unacceptable.

e.g. instead of banning laptops on the field- have encryption for the laptops, and regular backup plans.

As for the cisco IOS firewall. I don't think it is really that bad - it just depends on what rules you have. Expensive firewalls aren't so important if you're not dependent on a GUI and don't have very complex requirements.

What you need to do is secure and patch the exposed services - web, mail, app servers etc.

If you have proposed steps and options, and they choose to ignore you, then that's their decision.

But I would recommend that you prioritize on having decent backups.

Lots of wrong answers here...

To date, most of the responses seem to be along the lines of "Cover your butt with a paper trail" or "find a different job." These are very commmon Infosec responses, and a large part of why companies want to keep Infosec insulated from real business management--most infosec people just don't get business.

In a company, you have three value dials: Risk, Cost, and Functionality. Let's address each of them in turn:

• Risk. This is the big bugaboo, and what everyone seems to be focusing on. Well, earth to IT geeks: businesses deal with risks all the time. Extending credit is a risk, yet it's done daily. Why? Because risk cannot be eliminated, ever, in any business transaction. Still, there are a bunch of possible situations here: management may be underestimating risks, you may be overestimating them, or you may be underestimating management's tolerance for unmitigated risk. You need to find out which of these it is, not just assume the first one is always the case.
  
• Cost. Each business is in business to make money. IT spending, including security spending, is money they don't get to keep as retained earnings. No matter how much a business makes, no sane business spends any money without a clear understanding of the associated benefit. Now, you and I may think stuff like sports sponsorships makes less sense than buying a new firewall, but the marketing expenses are designed to increase revenue, and the Infosec expenditures are designed to prevent losses. When push comes to shove, business management almost always prefers to spend money on revenue creation rather than loss prevention. Maybe it's because they've been lied to for so many years by so many IT people about productivity benefits that never materialized--have we considered that no one believes us because we have, as an industry, cried wolf far too often?
  
• Functionality. Customers want more functionality, but often don't see the tie between new functionality and increased risk. This is an area where I've seen risk professionals really struggle, because as employees, out job is not to say "no" but "that's not a good idea" and then further explain the consequences of their desired functionality. Again, refer back to risk and cost. If they want to not spend the cost to mitigate the risk, and accept the risk, that's their call. They're entitled and empowered, by virtue of their positional authority, to accept risk on behalf of the company.
  

Bottom line? You need to ask about their risk tolerance. If their risk tolerance is higher than yours, that's fine. You're not there to impose some arbitrary set of security criteria on your business, you're there to implement the risk level management has decided to tolerate. If you can't tolerate the same risk level business management can, you can either try and continue to educate them--on the assumption that you're right and they're idiots--or quit. So yes, you can document stuff and/or quit, but those are only means to an end, which is to align your business risk expectations with management's.