An interesting rant on Information Security from Marcus Ranum online here. I picked up on the following quote:
The security team explained why it was a bad idea; in fact they wrote a brilliantly clear, incisive report that definitively framed the problem. So the executive asked the web design team, who declared it a great idea and “highly do-able” and implemented a prototype. Months later, the “whiners” in the security team were presented with a fait accompli in the form of “we’re ready to go live with this, would you like to review the security?
Sounds familiar. However, the important point is that security (or lack of it) is not, and should not be, the sole deciding factor in determining whether or not something gets done. The point is that the risks are known and reported. Management can then use it as a factor in their decision making process. If security was the sole deciding factor then the business would have collapsed a long time ago and we’d all still be using type-writers and chinagraphs.
Good leaders take risks. We’d like assurance that they are actually balancing the risks and benefits before making a decision rather than just running on gut instinct but sometimes they will make a wrong decision and security factors might sometimes mean the project fails or suffers an incident. However, without risk takers, there would be no innovation and no business growth.
It can sometimes be infuriating to report on risks and see them being taken anyway, but so long as you have identified what those risks are and reported them appropriately then it’s job done.