Another post from the train. This time I am on my way from Utrecht to Leiden. Leiden is one of the oldest cities in the Netherlands, and proudly houses one of the most well-known universities in the country.

Very often, information security professionals are extreme perfectionists. The nature of our work requires us to be that. Defending against an unknown threat means that we have to be ready for any attack; missing one element or implementing one control in a vulnerable way will expose us to risk that eventually will manifest itself.

However, we also need to realize that perfection is not expected from us. Moreover, one might say that the organizations we work for expect that we will not be perfect. Obtaining a high level of assurance that we will not be faced with an attack is extremely costly, and might be more expensive than the organization is willing to pay. After all, if the cost of protection out ways the potential loss, most business will choose not to protect.

Perception is reality.


As information security professionals, we have to be very careful to
strike the right balance between pointing out the risks that we face
and becoming a herald of doom. Once an organization has decided what
risks it deems acceptable, it is the information security
professional's job to design, implement and operate the necessary
controls to reach or maintain that level of risk. Unfortunately, it
happens too often that an information security officer will continue to
announce impeding failure and that he will continue to complain that
the organization does not do enough.



Do not do it.



Nobody is waiting for a person who's very existence will be negative
and depressing. Once the organization perceives that it is secure
enough, there will be not much more you can do. You may try to
influence the perception, but you also have to realize that perception
is reality. If the person holding the budgets perceives that your
organization is protected well enough, it is your reality that you will
not get more funding.



Perception is reality.



Implementing a thorough and admittedly, somewhat manipulative,
information security awareness campaign can be a great way to influence
the perception that people in an organization might have. Most
awareness campaigns target workers, but targeting senior management
with an informative strategy may very well pay off. Senior managers
need to be talked to in their own language, and typically in their own
offices, in person or in small groups.



When talking to senior executives, you have to be prepared very well.
They have made it to their positions because they are intelligent, know
to ask the correct questions, are not afraid to make decisions, and are
willing and able to take responsibility for those choices.



Before you make statements like "a lost laptop will cost us $1M,
therefore I need $250k to implement a full-disk encryption program",
make sure that you can substantiate the numbers, know which legislation
will provide you with a safe haven from notification if the laptop is
encrypted, and know which other risks are associated with data loss
that can be prevented with encryption.



Be honest.

In addition to pointing out all the good things, also point
out some of the bad things. Full-disk encryption is not a silver bullet:
how much man power it will take to implement and operate the product,
how to handle the laptop when someone forgets credentials and the data
on the disk needs to be accessed, etc.



By being well prepared, and by carefully choosing your battles, you will
change you senior manager's perception, and as a result you will change
your reality.



Perception is reality.