As a Security professional I've spent a lot of time considering security problems. Action plans I suppose are all about what you can do with those problems. This week I wrote an imaginary action plan. If you recall I've been working on developing plans for an imaginary company. This company has no polices or procedures which reference security. So I proposed some changes. I am not really going to rehash those changes in this post. I don't actually think that would be interesting to read. However, I do want to take a moment to talk about this process.
From my perspective companies are generally accepting of the way things are done. If a plan for something doesn't exists it means the leadership of the company hasn't acknowledge a need for it. As a security professional how do you convince a company to spend lots of money and time on solving problems they aren't concerned about? Obviously you can go to the stand by FUD, but there has to be a better way! Understanding the risks a business has and proposing solutions is not an IT practice. This is a business practice. My imaginary company only engaged services for its security problems after a breech. That is what it took for them to see the need. Wait though, we are back to FUD again. I mean I don't want to constantly try to convince people to do things because bad things can and have happened.
So, here is what I've learned from writing an imaginary action plan. As a professional, writing an action plan gives you an idea what must happen to solve problems. It means that you can clearly articulate what is wrong and how to fix it. Given the correct forum you can argue for the needed changes. I suppose the question is, how do you get someone to ask the question you have an answer for? I don't think this is something I can even get close to answering.
No comments:
Post a Comment