领导不重视安全的原因(转自CISSP论坛)
Billy
员工400人,年产值3个亿,按照常理来说,公司的规模已经不小了,
各个业务发展非常迅速。但是公司在信息安全方面几乎不加重视,
作为安全工程师,日常的工作可以发现公司很多方面的安全漏洞。
这个安全漏洞不只是系统漏洞,更多是管理上的漏洞。自己尝试着
做过很多工作,提交安全评估报告,写了很多建议书,实在是自己
在公司的地位比较低,说话没有分量,这些工作没有任何效果。
和一些人士交流,说到了公司现状,别人都说,你的领导的眼光肯定
看的比你远,现在不重视安全,是因为他觉得现状可以接受。
对于这句话,领导觉得现状可以接受,大家是怎么看待的,谢谢指点!
是不是意味着我可以选择离开这里,去一家更为重视安全的企业去工作,
或者可以等待公司领导重视安全的那一天,但是这又需要多久呢?
迷茫中。。。。。。。。。。
transf0rmer 2007-07-06 11:19
楼上所提到的种种现象颇为常见,更多情况下信息安全负责人或者CSO处于一种名义上的"闭嘴/签字SUSO(Shut Up/Sign Off)"状
态;
显而易见,
安全与业务之间的关系始终没有被理顺,至少CSO没有帮老板认识到这一点,这是其一;
而安全经理或者安全管理人员没有让CSO认识到安全管理、安全操作能够对业务产生除了保障业务运行之外的其它价值,这是其二;
影响业务运行好坏的因素有很多,未必都是安全的因素,更多与业务自身的配置、变更、流程规范与否有密切联系,这些原因在老板眼中都看不到,老板一旦看到
业务停顿或受到影响只会追究安全的责任,这是其三;
总是采用被动的自下而上、自外而内、自边界而端点,始终忽略以业务为中心的安全主导建设思路,盲目的以新产品、新技术、新控制、新体系为指导,尝试新事
物势必要付出代价,这种代价也是显而易见的,有形的代价可以承受,但无形的损失呢?谁来承担,老板么?这是其四;
由是,我们或许该思考一下究竟该如何从业务角度
看安全、读安全、做安全、说安全......
换句话说,
业务与安全之间的价值转换关系能够说服老板"安全保障业务",那么势必会得到老板的一定支持,配以最富有成效的实施措施,自然会达到短期既定目标,这
是"起";
业务与安全之间的价值转换关系能够说服老板"安全促进业务",那么势必会得到老板的更大力度支持,配以最富有成效的实施规划与措施,自然会达到中期安全
策略规划,这是"承";
业务与安全之间的价值转换关系能够说服老板"安全就是业务",那么势必会得到老板的重视,配以业务导向的安全规划,自然会实现安全的业务价值,这
是"转";
业务与安全之间的价值转换关系能够说服老板"安全改变业务",那么势必会得到老板的刮目相看,这是终极目标"合"。
零零总总,啰嗦几句,只求抛砖,欢迎砸玉。
kaolafen 2007-07-09 10:32
楼上前辈的阐述很精辟,非常感谢!
如果是cso的职位,那么可以直接跟领导打交道,可以把自己的想法和计划
跟领导好好的沟通,也能让领导直接看到你的成果。
但是,如果你的地位微不足道,甚至没有人会意识到你这个职位的存在,
那么你的任何工作的开展都会举步维艰!
你的一个好的建议和报告,也许就在你的直接领导处被枪毙了,甚至到不了
部门经理的级别,所以难度非常之大!
另外,这种商业企业毕竟不比银行,军队,他们有政府要求的安全级别
这个也是商业企业不重视安全的原因之一吧!
perlish 2007-07-09 12:36
顶一下变形金刚
安全部门有实权是十分重要的,否则就是一个夹心饼,很难开展工作。
seablue 2007-07-09 19:40
变形金刚告诉我们高手会如何改变这种不利局面。"非高手请勿模仿"
另外,和BOSS也不无关系。话说"用师则王,用友则霸,用徒则亡"。所以顶尖高手,还应根据BOSS的情况在决定是否谏、如何谏。
"安全这点事儿",是越来越收到重视了,这个发展方向是大家一致认可的,以此共勉。
transf0rmer 2007-07-10 12:36
I do agree that acting like a iron mask to security will get you
involved. But we must divorce the idea of OPERATIONS vs.
SELLING(Consulting). Clearly you need to think different from a
protection standpoint, but I can tell you that senior management DOES
care about what they are doing. Security is overhead, and overhead is
to be minimized. If you can make the case that other folks are
spending a lot more and/or getting better results, then that is
something that bean counters will respond to.
It's sad, and not right, but it's true. Of course, finding a peer
group to share information or security is hard and as we always say,
getting apples IPHONE to apples comparisons is even harder. But since
we aren't really planning on using that information to run the
business, we just need to be able to make our case look good.
Is it really a comprise? Do you think so?
Any suggestions needed.
l0pht 2007-07-10 15:26
我觉得从技术角度证明其安全的重要性非常有效,我在这举个例子:
我本人以前做了一个资产数千亿的大客户的风险评估,在没有任何信息的情况下通过adsl上网黑盒测试发现了一些业务漏洞直接可造成他们核心业务的重大损
失,如果真被恶意黑客利用那么他们核心业务就会受到极为严重的的损失了,而他们的高层领导们也因为那次成功的风险评估从不重视的态度一下子转为了非常高
度重视的态度,这样成功的例子还有很多。国内至少有90%以上单位的网络都存在这样致命的风险,为什么不从技术角度去做呢?
transf0rmer 2007-07-10 16:53
技术
|
价值-权力-管理
|
意识-价值-能力
|
安全-能力-价值
|
技术
楼上同仁说了技术对于领导的作用,在我看来,这仅是个案;技术上的证明是无法起到决定性的作用的,或者说影响范围有限,权且以上图来展示其中的一些关
系,从图中可以得知,技术之间的落差过程是相当漫长的,这才是管理过程的重心。
新旧技术之间的转变是一种缓慢的量变引起质变的过程,你可以证明给一个人看安全很重要、也可以给十个人证明很重要......但那只是暂时性、局部性的行为,而
非长远的、可持续性的,因而不具备全局的影响能力。
Mirror mirror on the wall, what is the most secure of all?
Management's awareness? IXS or A(dvanced)IDS?
You have to be kidding me, but the answer really doesn't matter
because they are all distinctly insecure in the hands of the common
user.
And it's really an entirely continuous failure as the hackers could
easily do anything they could. Isn't it?
transf0rmer 2007-07-11 11:45
Generally speaking, the managers own their security problems in each
views. This has serious implications. Developers are compensated for
delivering a product on-time and typically get the bulk of their
compensation for completing the business on time. Therefore, they
probably do not have real incentives for good security design or
practices unless such incentives are written into their contracts.
Also, because the managers still see themselves in the "developing"
business where most revenues are earned in the first 30 days after a
product release as opposed to a longer sales and services cycle, they
have allocated security into the QA or distribution side of the
business.
This is the key to achieve the goal of security. Managers also need
have been telling a for years that the security needs a "Pearl Harbor"
incident. Part of my motivation for digging this incident, is to show
that, while Pearl Harbor hasn't happened, the managers have
experienced a number of Dunkirks, Polands, and North Africas. Where
there is little power or incentive to address security strategically.
However, Security is being taken more and more seriously by managers
once they are in operation. After all, this is where security failures
cost real money. I am not so sure about managers' mind. But it is much
easier to change PowerPoint slides and specifications than a running
business.
More business, more problems, more loss, more cost, more secure, ...or
not.
Any suggestions needed, thanks.
注:在cissp论坛上进行着如上的一个话题讨论,特转过来欢迎大家一起讨论。