Hi everyone,

We have a problem here at the office. This relatively big organization (around 3000 people) doesn't have even one person dedicated to security! Since they think they haven't got hacked yet, upper management are basicaly saying: "why should we invest in security?".

A recent pentest showed that an attacker could get assess to EVERY SINGLE PC and servers! But that didn't help them change their mind. They change the anti-virus last year and found hundreds of malware, backdoors and viruses, but they don't want a full time person to look after their infrastrusture...

So what you we do?

1) Scared them by doing scary demos?
2) Show them what other similar places are doing?
3)

We are running out of ideas...

I have heard that so often! Maybe changing this mentality is the key to achieve my goal... Thanks ziggy_567

Thanks chrisj, you bring a good point.

Since we haven't had a big problem like this one yet (or at least, that we are aware of!), we could probably organize an exercise and extrapolate on the cost of a business wide outbreak or a major attack. Hummm...

But what about the impact on the reputation (for a government agency)? I guess we can also put a $ to it...

So, their response isn't business related it's emotional.  So, in my opinion, you need to make an emotional case as well as a business case.  

For instance, knowing that during an outage, it cost you X, but it may have also meant that a manager had to explain him/herself to someone.  Nobody wants to be at the helm when the ship hits the iceburg, so you may be able to play that card at the same time.  

Figure out how your company makes money, create some scenarios, demonstrate the pre-cursors for those scenarios to take place, and then talk about what could be lost and how much can be gained from some initially simple steps.

If they got every single box, figure out how to make that harder, my guess is you can probably improve things with some things starting simple and then leverage those changes into having a "security specalist" and then work the specialist into a team over time.  

Yes
Yes
Yes
and
Yes

<smiling>  Looks like you've got a good, running start, H1tM0nk3y.  Good luck with the effort!

Money makes the world go around and your management knows this however, most companies don't like spending a dime on security where they don't need to. A method I've found for making them sway from this position is to not only justify the the business case FOR protecting themselves, but also the business case for protecting customers, vendor relationships AND for MAKING money off of security.

When I first started in my company, security wasn't an iota of a thought. Sure they had a firewall here, VPN there, antivirus here, etc., etc., we had individuals that didn't understand the technology, proper deployment, etc.

After reviewing our current infrastructure, I began laying out the roadmap of what I wanted to accomplish. 1) Securing our network 2) Developing an internal security team 3) Raise security awareness 4) Develop a mechanism to earn off of a secure infrastructure and services.


1) Was simple since I was tasked with being the lead security tester for a SIGv5 audit + PCI Assessment. Since I understood security in practice more than anyone else, my company flipped out at the thought of losing clients for audit failures and losing the right to process credit cards, etc.

2) A little tricky since I had to make management understand the benefits of training me and my colleagues. Management's fears will be "they will jump ship once certified..." I discussed with them the benefits of being able to go to clients with "credentialed" staff as opposed to "who are you again."

3) We do mailings every here and there where I will take news excerpts to raise awareness. Since we're a small company, I can interact and explain things to most employees. I use a lot of analogies to help them understand. This allows my colleagues to take the information with them and use it at home too. Something they appreciate more when presented to them like that.

4) After going through these motions for 3-4 years here, I developed, documented, explained, configured and deployed services to not only us here, but to certain clients. This enabled management to take a step back and focus on offering security as a service.

Anyhow, there is no "one size fits all" solution. Management does not like spending money. You should focus on fact that the costs of a compromise are a lot higher. Point out the FACT that even the biggest companies (Google, Raytheon, etc) are compromised and we KNOW they've spent on security. Make it a business case: the cost of NOT securing versus the one time cost of a compromise. Regulatory controls are your friend: If you need to maintain compliance, focus on the benefits of keeping compliance. Also focus on educating them about the potential revenue they CAN make by touting: "A Secure Company", "Defending our Clients", etc., most companies are aware of the security risks and most companies would prefer to do business with a company that is responsible as opposed to having "zero security."

In the event you do business with certain companies, it will be inevitable anyway. One of our clients is in the top 3 telecommunications sector worldwide. We were forced to do a SIG audit or risk losing business. After going through the motions with senior management, they then understood what the fuss was about. Being able to hand over a "statement of security accounting" shows the partner/client/etc., that you take business serious.

That doesn't always hold true. I've worked for 2 companies that have been hacked. Neither one really changed their stances.