How to Suck at Security for Executive Management

An off-beat comment with a colleague last week gave me the idea for this post. We were discussing ways in which security programs fail and he jokingly suggested that I blog about how to fail in security, rather than how to succeed. This struck me as a really good idea. We spend a lot of time focusing on how to improve security, but¬†comparatively¬†little time talking about how you can fail at security. So if you are in senior management, or know someone who is, and truly want your security program to fail, here’s how:

  • Don’t define a high level vision: As a leader, you might think that steering the ship should just be left to the worklings. After all, you have worked long and hard to get where you are today. This is the point at which you should be able to kick up your feet and relax! If this is you, then you should not make it clear how the security program should fit within the overall business objectives. Don’t worry, it will work itself out.
  • Micromanage: This is the opposite of the strategic approach. You should be able to relax, but you just can’t trust the worklings to accomplish your vision. Maybe you hired the wrong people, but whatever the case, you should make sure to watch their every move. If you don’t, they will just surf blogs like this one.
  • Mandate unfunded initiatives: Having a properly funded project plan for security initiatives is so web 1.0. Nowadays, you can either just let the cloud worry about it or let the worklings use open source. After all, there are no costs to implement open source solutions, even if there are no licensing costs. They’ll complain about not having a budget to play with, but they’ll eventually give up and just do it.
  • Move your risk into the cloud: Cloudy, cloudy cloudy, that’s what it’s all about-y (just go with it). When you move your critical infrastructure into the cloud, it can’t fail. Clouds don’t go down, they are elastic and just keep growing like magic. You don’t need to worry about the details, that’s why you write the check every month. You no longer have to worry about risk when your data is in the cloud–after all, all the big companies are doing it.
  • Blame the security department for a breach: The entire reason you have a security department is to prevent breaches. So, if you have a breach, then someone must not be doing their job. Never mind that you didn’t give them the responsibility, resources and accountability to get the job done, there are plenty of people out there looking for jobs. You can just wipe the slate clean and start over. The Board of Directors will then know you take security seriously.

There are others things you can do, but this should get you started. I wish you all of the failure you can hope for!

2 comments on “How to Suck at Security for Executive Management
  1. Priceless! Unfortunately way too may C-level execs would read this and walk away, comforted that they’ve hit every bullet point but missing the “suck” part of the title.

  2. chmeee says:

    It reminds me of this list I made a long ago in an abandoned blog (http://sechabits.blogstpot.com/2008/10/ten-top-security-habits-from-experience.html):

    * Never plan security, let it happen naturally

    * It’s better to apply any security controls in the production envieronment

    * No matter what you do, the security guys will know how to secure it

    * Always trust your internal networks and users

    * You don’t have to notify security, it’s their job to know what’s going on

    * Always blame the security staff when something goes awry

    * Never read any security document

    * Easy passwords might be guessed, strong passwords will be forgotten

    * Better to spend in big, expensive, hype-type security consultancy projects than in cheap, small hands-on-security-that-works projects

    * If they don’t know it they can’t attack it, obscurity is the best security technique

Leave a Reply

Your email address will not be published. Required fields are marked *

*