I guess to answer the question for my case alone it's interesting to look at my supervisor history and make analagy's from that. Thinking about it it might shed some light on the managers others have to deal with.
My first supervisor was the CEO. There was the obvious period of "trust building" that took place on both sides but once the CEO understood 2 things about me I was given more or less free reign and my decisions and my input were carefully considered in the "big picture". The two things were quite simple really..... I have a grasp of my subject and a grasp of their impact on the organization and that I always do what is best for the organization.
Then a decision was made to reorganize the structure of the organization to reflect a more corporate environment. In doing so they hired in a CFO and placed my department under him....
My second supervisor was the CFO and this was a mess. His basic lack of competence was reflected in his distrust of everyone. This manifested itself in the fact that no individual could tell him anything about anything. It all had to go to committee where he made copious notes and the committee made the decision. By managing in this fashion he avoided actually making a decision and if a decision were made that went wrong he would go to the file, pull out the notes and show that the decision was not his but rather that of the committee. This "method" also served to "choke" everything making decisions take weeks or months rather than minutes or days. I cannot imagine the process of HIPAA complaince if he had been there to give "input".... We'd still be reading the regs rather than acting upon them.
After 18 months of this gentleman I went to the CEO and, to all intents and purposes, told her it was him or me..... (Remember: He was still in the "trust building" phase that I passed several years previously.... ;)). After a three way meeting where I demonstrated the harm he had done to the organization in such a way that he could only stare past the CEO's head and say nothing - yes, I can be a formidable opponent if you piss me off and harm my department or organization - he saw the crayon on the wall and resigned.... I believe the resignation wasn't _entirely_ voluntary but that's none of my business.... my job was done.
My third and current supervisor was a director that became the COO in the reorganization. Consequently, I had worked with her for ten years or more so we were familiar with each other, trusted each other and actually have a good personal relationship too.... I call her "Dear", (in the "wifely" sense), when we speak.... ;)
I think the key item in my experience is trust. Management has to trust your subject ability, your business ability and your committment to the organization. In many cases you also have to be able to trust the managers too. You won't always get your way, (hell, even I lose a few), but it's the dialogue between intelligent individuals that results in a "sane" resolution.
There's also got to be the feeling from the manager's POV that when you suggest something that it has been well researched, it will do what you say it will and that it is more cost effective than any other possible solution. Cost effective can be a "moving target" - it may cost less in initial outlay but take 50 man hours a week to manage... Obviously that's not good and your managers will always question the cost effectiveness and ask questions you never thought of.... You have to have the answers right there and show that you have considered _their_ potential reservations... Do it enough and they stop asking the questions... Except those that shouldn't be there in the first place.
With some managers you will have to write a 50 frame powerpoint and spend 3 hours selling the "product". With others you will be able to walk in to their office and say "Boss, for <insert regulatory requirement here> we need to do this costing this" and it will pretty much be accepted. Eventually the "50 frame powerpoint" manager will come around.... or not.... If it's "not" then it is time to move on if you have the skill set and business understanding to do so. Frankly, if you don't, then the manager is right when he over-rides your decisions.
So... Having gone waaaay off topic, (in a way), the point of the whole post is that good managers trust their employees ability in their field and when you "suggest" something regarding the compliance issue it will, (at least), be seriously considered. Bad ones don't. If you find yourself with the ability to make informed decisions yourself with regard to regulatory compliance with a manager that doesn't listen/trust and you might find yourself liable somehow then you have only one choice..... Get Out Now...... Before you find yourself prostrated in front of a jury of your "peers" that can barely check their own email.....
Am I living in a "special" environment? Maybe. Am I competent to give the advice I do for the level/size/potential risk to my environment? Absolutely.....
Actually ... very good, Tiger. Bravo!
You, at least, are surviving in a very dangerous, volatile environment. These are the ekinds of insights the newer folks should read, heed and take to heart.
Sure it does! Tiger, myself, and the likes of us call that job security. You just have to dot your i's, cross your t's, and DOCUMENT EVERYTHING.
Originally posted here by Timmy77
..but, of course, when their illusion of protection fails - typically in a manner you told them it would fail - you're still the one who pays the price. It just doesn't pay to be at the bottom of the management food chain.
Jinxy don't be sorry. Your input is actually helping form my official position, and you have made valid points. I don't HAVE any good answers. I think that if one thing has been made clear in this discussion, it is that sometimes compliance will take a higher priority to security, sometimes not, they can and should often be mutually exclusive (thanks catch), and no one scenario is always right. A difficult truth for us professonals is, sometimes, compliance with 'less' security is the better overall business decision. We call that risk management (at least in one sense it is.)
As a died in the wool Unix SA-turned Security Engineer, I want to stuff the auditor's in a cramped wiring closet and go home for the weekend. My personal preference would be technical and operational security over some regulatory statement everytime. But I don't have to answer to the same stake holders that my boss does...at least not directly. ;)
Could it also be that because this forum is security focused that we tend to have a hypercritical view of the shortcomings within our organizations? Or is everyone else out there in the corporate world just blind to the threat that is out there? Perhaps the truth lies somewhere in the middle?
In the end I'd put my vote down for placing more emphasis on actual security rather than enforcement. Human behavior has a long-term history of disobedience when dealing even with the simplest of requests. (Why do we speed on the freeway even though we know it is dangerous)?
There is no substitute for real-time, proactive security measures. Ignore this cold, hard fact and you'll have to play damage control soon after. Perhaps this viewpoint is rather cynical, but better safe than sorry when protecting your infrastructure.
We live in a parallel universe Tiger. Organizational change is necessary, but I have survived and continue to work for the CEO. Although due to compliance pressure, get this - we are FORCED to have committees make the decision. In the view of those overseers, 5 people making a decision versus 1 person assumes less of a risk should it fail to pan out. HUH? I see the logic if one could fill the room with technical minds and when it comes to hardcore software development I would agree. But participating in a room filled with minds that get bored with the mere mention of "internet filter" is problematic to another topic... the faulty and often illogical mindset of auditors running off the "trends" of circa 1998. That is when most of our compliance regulations were drafted.
So until my power is removed, I drive IT business strategy and bring the decision to a committee after money is spent and implementation is complete. They happily sign off because they are not forced to undergo the cost benefit analysis or detailed technical diagrams which I can happily display for hours at a time. Having this committee has definitely relieved some compliance pressure though. They like to see some internal "oversight" for IT regardless if the substance in beneficial. In that respect compliance is just fluff to toss at a bean counter.
So to share some internal rambling... compliance and security collate into risk management as many have introduced. In fact the mere presence of a good risk management strategy will guide compliance. In my opinion it is the heart and shoul of compliance both external and internal to your companies own policies. In fact IT Risk is one small category that fall under the umbrella of Business Risk. That is risk to the organization regardless of the origination. Once we understand that, and shift focus away from our IT closets (we love our closets) new doors open up and IT becomes a critical process in management.
RC's Copyrighted Business Risk Factors:
I am leaving out a lot of the scoring formula but you can get a picture of the overal business risk process. Lets pick a task and assign a level of impact on a scale of 0 to 3, 3 being being highest impact and 0 being no impact...
IT Risk Factor: Desktop Management and Support
Financial Risk: 2
Operational Risk: 2
Strategic Risk: 0
Legal/Compliance Risk: 0
Business Risk Factor: 4 (add ‘em up)
Potential For Change: 1.25 (hey things change, add it in. Items with a high potential of change have a higher number that increases the risk weight)
As you can see, if we took a task risk like Compliance it could have a higher risk rating than a specific IT Security risk item. It could effect the overall business strategy and legal risk. Ok Let's pick one:
IT Risk Factor: Business Continuity Planning (not security at all!)
Financial Risk: 3
Operational Risk: 3
Strategic Risk: 0
Legal/Compliance Risk: 2
Business Risk Factor: 8
Potential Change Factor: 1
Now would I spend money on desktop support or business continuity planning? Security or Compliance?