At 04:02 PM 6/24/96 GMT, Ian Johnstone-Bryden had some good things
to say. I would like to add a few thoughts to his mail.
>> The question is, do you let it through your firewall when your
>> CEO asks for it ?
>The risk management answer has to be that you only permit that which can
>be permitted under the requirements of the risk policy. Anything which is
>outside those requirements has to be held or rejected until such time as
>someone decides that the rules have changed.
>The reality unfortunately is that the people controlling the gateways are
>often a fair way down the corporate structure from the CEO (and often less
>exaulted beings) and depend on a pay check to feed the family.
>Its a tough call.
Do the following:
1) Explain the risks (gently) to the executive management - in terms
that they can understand. If possible, quote an indepent source
(preferrably from a book, etc). This helps to make the issue
less personal (us vs. them) and helps boost your credibility
at the same time.
2) Make your recommendation - in writing, cc: several people (your
manager, the ISO (Information Security Officer), the CFO, CIO,
etc. Save the letter (you might need it).
3) Suggest alternative methods which help management to achieve
their business goals while doing so in a secure manner. Ask
the question "What problem are you trying to solve?"
4) Get someone from upper management to sign off on the risk. In
theory, this gets you out of the loop (noose) should things go
wrong. Be aware that this is no guarantee that your job will
remain secure (but it helps).
5) You might want to talk to the CFO privately. Generally, they
are able to make security a high priority & can sell it better
to the CEO & other executives.
6) Keep your resume on file (at home) & up-to-date. Make sure you
have networked enough so that if it becomes necessary for you
to jump ship that you have a place to swim to.
>Do you stick on principle? The CEO may not like it when you say he is
>wrong and you may get fired or life becomes so bad that you leave.
I stick to my principles. I call things like I see them & try to
be as diplomatic as possible. From my experience, many CEOs have
a problem with too many "yes"-men. They would much prefer to have
you tell them (politely & tactfully):
o what the real issues are
o what the choices are
o which choice you recommend
o why you recommend that choice.
Feed them the facts. Let them make the decision. It also helps
(a lot) if you have established a high degree of competence before
being confronted with the above situation.
>OTOH if you give way and your system gets shredded, the boss who was such
>a moron not to let you do your job right is not going to accept any part
>of the blame and you could find your head on a pike outside the front
Agreed. Hence the CYA (Cover Yourself Always) memo mentioned earlier.
>So maybe the call is between pain today, or extreme pain later. You should
>know your own CEO and your personal needs, but if you dont the right thing
>to do is attempt to do your job right which is observing the policy
>Aint life a bitch?
*I* don't think so. I think life is grand and offers many opportunities
to grow. Challenges are just part of the process. Three quotes:
"If you see a man on the top of a mountain, remember - he didn't fall there".
- Paul Dunn
"A ship in a harbor is safe - but that isn't what ships are built for."
- Grace Hopper
"Behold the turtle who makes progress only when he sticks his neck out"
If you are put in a difficult situation like this *always* choose the
right & let the consequences follow. Perhaps in the short-term things
may look a little bleak, but in the long run, it *always* pays to do
the right thing. NEVER compromise on your principles. I have been
in situations many times where I have had to make tough calls and
haven't compromised on my principles. It is not always easy to do
the right thing, but it is worth it.
Not compromising on your principles does *not* mean you dig your heals
in the sand and try to block business. The compromising of principles
is primarily an ethics issue - not a security issue. Also, if business
is proposing something unethical, or completely insane, figure out your
options and plot your heading from there.
It is also very important to remember that business runs the company
- *not* security. Work with them to try to design a solution which
is secure & helps them achieve their goals.
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
Fortified Networks Inc. - Information Security Consulting
http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817
Home of the Free Internet Firewall Evaluation Checklist