I spent some time on the road this week, and it was great to see some old friends, meet some new ones, come up to speed on some topics, and more than anything take some time to listen. With my head full of dancing fairies relative to what’s really going on out there, I was interested when I came across Jack Freund’s post on the RiskAnalysis blog called “Executives are not Stupid.” Jack leads off the discussion by mentioned that “You don’t fall into a job to run a company or a line of business.”
Actually in my experience, continually validated by my primary research, many executives are in over their heads. The Peter Principle is not only alive and well, it gets in the way of the security professional’s charter on a daily basis. Come on, don’t make like you’ve never asked yourself what kind of pictures said executive has on the CEO to keep falling upward. You know you have, and you are probably right. Success in corporate life isn’t just restricted to the talented, that’s for sure.
The lore has been known for years that to be good at security you have to think like a hacker. All that really means is that you have to understand the attacker’s motivations, get familiar with the tools they use, and use that knowledge to discover the path of least resistance (which tends to be the most significant attack vector). When we recommend that you systematically hack yourself, this is really to familiarize yourself with what the attacker sees.
The same goes for dealing with senior management. A lot of folks just get grumpy when a decision doesn’t go their way. They grumble about how senior management “doesn’t get it,” but in reality it’s a failure on our part to anticipate the (often obvious) reaction of the senior team. Most executives are, frankly, predictable. They act in their own best interests, always. And that means if you want to get anything done, you have to convince the executive that going down the path your suggest is in their best interest.
I know, this clearly involves political machinations and that is likely deplorable to many of you. It’s not my favorite thing to do, which is why I work with Rich and Adrian. But if you want the big title (or even a little title), part of that is playing the game. So you need to plan for success. That means before you pitch a senior exec on your pet project, you need to actively plan a strategy for lining up support. It’s not that hard, but it doesn’t happen by itself. You have to sit down and understand the playing field.
Start by asking yourself two questions, but you need to answer as the executive(s) rather than as yourself. And no, the questions do not include which new BMW you want or which Four Seasons you will visit on holiday.
- How will this make my life better? You need to have a crisp understanding of why it’s in this executive’s best interest to support your project, and that usually gets down to two things: more money or making him/her look good. If you can position your project for either of these, you have a chance.
- What is the risk? There is no risk without reward, so you need to really consider the downside for the executive. Where can this go wrong? How would this alienate him/her with peers or higher ups? Basically you have to build a threat model from the executive’s perspective. And you then you need to be able to overcome those objections, or he/she will kill your project. Guaranteed.
Building the threat model and overcoming the objections isn’t easy, which is why so many security folks don’t get what they want. Always remember, it’s not about protection or security. It’s about understanding the goals and success criteria for your organization and every executive that can say no. I know your senior executives aren’t necessarily adversaries, but since they can get in your way and derail your plans you need to map out a strategy to bring them to your side – or at least neutralize them.
And keep in mind that you will not win every battle. Sometimes they’ll still say no, regardless of your strategy or efforts. Keep each setback in context of the entire war, and move on to the next battle. Or decide it was more fun to configure firewalls. That’s always an option.
Photo credit: The Peter Principle: Why Things Go Wrong available on Amazon
Reader interactions
4 Replies to “Know Your Adversary”
My experience is that many executives have no idea how fragile their environments are. They don’t realize that one person with an old version of Acrobat could be the open barn door. They really don’t understand how modern attacks work.
On the other hand, most companies seem to do OK even after a breach. They may take a hit, but organizations of all types tend to be pretty resilient. So playing the “hackers are coming” card isn’t a very good idea, in my experience.
As an infosec professional, I do feel that I have a responsibility to be a good steward of information and to promote the best way. So I try to put that approach forward as much as possible. But we all live in the real world, and as you said, they act in their own self-interest. If I have a choice between “Solution A” which will not solve the problem completely but get us past the next hurdle, and “Solution B” which will solve the problem and likely be laughed out of the meeting room, I will propose “Solution A.” Or, maybe I’ll go with a “silver and gold” approach.
I think we’re just both highlighting the fact that security is about people. The better we understand people, the better we can protect information.
I don’t really get enjoyment from playing the political game. When I read Jack’s piece, I really didn’t have much to say, since I both agree with him and likely would agree to disagree. You get a nice view up on the fence! 🙂 I even agree with you, but probably not universally. As Jeremiah pointed out to me on Twitter just the other day, relating a bit to the Peter Principle: No one knows what the fuck they’re doing. That’s not necessarily a dig on people, but in a way it is…
But what I think is your really important point is something that should be taken to heart by security: “A lot of folks just get grumpy when a decision doesn’t go their way.”
That’s really it. If we have a firm grasp of the fundamental “laws” of security, we should have a very firm grasp on the idea that security flies in the face of convenience and other business units “getting things done.” That means if we’re tasked with and we pursue the highest level of security possible (which is sometimes the whole point of our job description) then we have to be prepared for not being able to get every last thing we ask for. Measure X impacts business Y too much so we’re going to accept risk D? Fine, move on.
It doesn’t help that we’re up to our eyeballs in security and technology every day, while most executives are not; the immediacy makes us look like Chicken Little compared to normal managers. A car mechanic can outline every little thing we need to be doing to our car to keep it running nicely, and give us directives on what to do right now because wear-n-tear is showing. But that doesn’t mean we must accept every single thing he tells us and make a schedule for everything. (We probably should, but that’s our own internal decision balance of risk vs $$.) I tend to do what it takes to keep my car running based on the experts I have a relationship with and probably more than I *could* get away with, but I’ve been in the shop and witnessed people who do the opposite. Your last oil change was when?!
Really, security folks should be very used to not getting their way. I believe it is rare we get allowed to do all the things we want to and should do in the name of security; not the least of which are more man-resources. We should be very aware that the ROI is difficult-to-impossible to quantify, that we’re often a cost, and risk is hard to nail down in a value that everyone in the room agrees with, especially when weighed against other initiatives battling for budget dollars.
Often, the best we can do is our damnest work in the dark back server rooms, keep things in line, be poised to pounce on incidents, find incidents, give expert advice when we have a chance (either advice on what to do or advice on why we don’t want product X that you heard your buddy talk about at the country club), and swoop in like Batman with eyes that *silently* say, “told ya so” on those “told ya so” incidents.
Good post, more similar ones expanding on the topic would be appreciated!