Management Responsibilities and Communicating with Management

Previous page
Table of content
Next page


One of the biggest mistakes made by ISSOs is to assume that they "own" the systems and information. The ISSO must remember that the owners of the business, whether it be private ownership or public ownership through the stockholders, make the decisions as to how the business is run. The stockholders do it through the elected members of the company's board of directors, who are the risk-takers. Their responsibilities include making decisions relative to company risks.

As an ISSO, you are there because the management believes you have the expertise they need to protect the business's information systems and the company's information.

All too often, the ISSO gets into the "tail wagging the dog" situation where the ISSO can't understand why management does not provide the ISSO with the support that is needed or wanted. The ISSO must keep in mind that if management did not provide at least some support, the company would not employ the ISSO!

When decisions are made to process, store, display, or transmit information that goes against the desires of the ISSO, many ISSOs take that personally. Remember, it is not your information! It belongs to the business owners.

Of course, depending on your responsibilities and the authority delegated to you by management, you will probably be responsible for making the majority of decisions that involve InfoSec. However, even with that responsibility and authority, the ISSO must gain the support and concurrence of others within the company.

When an InfoSec decision must be made and that decision is outside the purview of the ISSO, the ISSO must elevate the final decision to a higher level of management. Although each company's culture and policies will dictate when and how that process will be implemented, the ISSO should be sure to provide complete staff work on which the management can base the required decision. In other words, the person making the decision must be provided with all the necessary information on which to base the decision. If that information is not provided to upper management, the wrong decision could be made, which may jeopardize the protection of the company's information and/or systems, or may cause the company to incur unnecessary costs.

If you have done your homework—if you have assessed the risks to the information and systems, the protection alternatives, the costs involved, and the benefits involved, and you are in a position to make your recommendations accordingly—then you have done your job.

Before you bring a problem and decision to management, you, the ISSO, should be sure that you have addressed the problem by providing management with clear, concise information, using nontechnical language, on which they can base their decision. The following, as a minimum, should be included in that process:

  • Identification of the problem

  • Possible problem solutions, to include cost and benefits

  • Recommended solution to the problem, and why

  • Identification of who should fix the problem (it may not be an InfoSec issue, or it may be one outside your authority)

  • Consequences of no decision (no action/no decision is always an option, and sometimes the right one)

Whether it is the responsibility of the ISSO to fix the problem or not, the ISSO should follow up. Once the problem is fixed, it is always good to contact the other personnel who were at the meeting where the problem was discussed and the decision made, and advise them either verbally or in writing when the corrective action is completed or the project is closed out.

An excellent gesture would be to send a letter of appreciation to those involved in fixing the problem, with appropriate copies to management. This is especially important if others fixed the problem outside your organization, or if staff outside your organization assisted you in fixing the problem.

It is the responsibility of the business management to make the final decision, unless of course they abdicate that responsibility to you. They, in turn, are held accountable to the owners of the business.

Remember that managers are usually only authorized to make decisions related to accepting InfoSec risks for the organizations under their authority. They should not be allowed by the business to make decisions that affect the entire company. If that appears to be occurring, you are obligated to ensure that the manager as well as upper management knows that information. This is of course a sensitive matter and must be handled that way.

A word of caution: Some managers will abdicate their management responsibility to the ISSO. As the ISSO, you may be flattered by such a gesture, but beware! You may also be getting set up to take the blame for the consequences. These consequences may be due to a decision that you may not have recommended—in fact, it may be a case where you were in total disagreement with management as to the correct course of action to be taken.

The responsibility of business management is a serious one. Under current laws in many nation-states, managers can be held personally responsible, and possibly liable, for any poor decisions that affect the value of the business. So, your responsibility as a service and support InfoSec professional is to give management the best advice you can. When their decision is made, do your job by supporting that decision and by ensuring that the information and systems are protected based on that decision.

There may be times when, in the opinion of the ISSO, management makes the wrong decision relative to protection of information. The ISSO then has several additional choices:

  • Meet with the decision maker in private to try to convince that person of the consequences of the decision and why it may not be right;

  • Appeal the decision to the next level of management;

  • Quit the job; or

  • Quit the company.

Another word of caution is needed here. Whether the decision is right or wrong, the ISSO should document that decision process. The documentation should answer the typical security/investigative questions of who, how, where, when, why, and what.

This is important, not from the standpoint of just another bureaucratic process, but to have a history of all actions taken that are related to InfoSec. Thus, when similar instances occur a year or more after the last decision, it can be used as a precedent. This not only helps in making subsequent decisions based on similar instances, but also helps ensure consistency in the application of InfoSec. Inconsistent InfoSec decisions lead to confusion, which leads to not following sound InfoSec policy and causes increased costs to the business. This process follows the process used by the legal community, where case law is used to argue a current illegal issue. Precedence is a logical process to follow—assuming that the decisions previously made were the correct ones, of course.

If it is subsequently shown that the last decision had unexpected, adverse consequences, then it will help the decision maker not to make the same mistake again—one would hope. People come and go, but a good historical file will ensure consistency and keep you from having to rely on the memories of people involved—assuming they are even still employed by the company.

For example, assume that a major decision had to be made concerning InfoSec, and the decision was determined to be that of management. You, as the ISSO, should do the following:

  • Lead the effort to resolve the issue;

  • Request a meeting;

  • Ensure all the applicable personnel are invited; and

  • Brief those at the meeting on the situation as stated above.

If you as the ISSO are to keep minutes of the meeting, the minutes should include:

  • Why the meeting was held;

  • When the meeting was held;

  • Where the meeting was held;

  • Who was at the meeting;

  • What information was presented and discussed;

  • What the decision was;

  • How management made their decision; and

  • Who made the decision.

Someone in management should sign the minutes of the meeting showing the results of the meeting—preferably the person who made the final decision. You will find that such decisions are usually verbal, and most managers do not want to sign any document that will place them at risk. So, how do you deal with such issues? There are several methods which can be used, all of which may cause your position as the ISSO to be questioned: "not a team player," "you don't understand the big picture," or "you are not a business person, so you don't understand the situation." By the way, having an MBA would definitely help in winning this argument.

Even though you have the best interest of the company at heart and it is the basis for your recommendation, and even though you consider yourself a dedicated and loyal employee, in the eyes of some in management you're not a team player. In other words, you are not on their team.

You will soon find that the position of the ISSO is sometimes a risky one. Even if you do the best professional job that can be done or has been done in the history of the ISSO profession, office politics must be considered. Such non-InfoSec situations will often cause many more problems than the ISSO will face in dealing with InfoSec issues, hackers, and the like.

If the you don't know about such things as "turf battles" and "protecting rice bowls," the local bookstore is the place to go. There, you will find numerous books that will explain how to work and survive in the "jungle" of office politics. You may know InfoSec, but if you don't know office politics, you may not survive—even with the best InfoSec program ever developed. Always remember: "It's a jungle out there!"

Why is it that way? There are many reasons, but for ISSOs the primary reason is that you make people do things that they do not consider part of their job. And if they don't follow the InfoSec policies and procedures, they could face disciplinary action. So, you, like corporate security personnel and auditors, are not always popular.

Obviously, as the ISSO, you want to eliminate or at least minimize that type of image—the "cop image." It is hard work, but you must constantly try to overcome the negativism that people tack onto the ISSO and InfoSec. Some ways of countering that negative image can be found throughout this book.

Many business meetings require that minutes be taken. If so, and if you are not responsible for taking the minutes, obtain a copy and ensure that your recommendations are noted in them, as well as who made what decisions. This is the best method of documenting what went on in the meeting.

If the minutes do not adequately describe what has taken place—if, for example, they lack details of what was presented, the potential risks, or who made the final decision (all crucial pieces of information)—then annotate the minutes. Attach any of your briefing charts, sign and date the minutes, then place them in a file in case you want to use them as a reference at a later date.

Another method which can be used, but is more confrontational, is to send a memo to the manager making the decision in which you document the InfoSec options, costs, benefits, and associated risks. You then conclude with a sentence that states, for example, "After assessing the risks I have concluded that the best course of action is option 2." Leave room for a date and the signature block of the manager you want to sign the document.

The document should be worded professionally and should be as nonintimidating to the manager as possible. Even so, in most cases, you may find that you won't get a signed copy returned to you if you send it in the company mail.

You should hand-carry this document to the manager and discuss it with that person. Imagine yourself in the manager's position. When you put your signature on such a document, there can be no mistake. You made the decision. If something goes wrong, that letter may document the fact that in retrospect it was a poor decision. No manager—no one—ever wants to be put in that position. Remember that the manager does not have to sign the InfoSec document. In fact, no matter how it is presented, you will find most managers will find some way not to sign the document if there is the slightest chance of being second-guessed later. In today's environment of "touchy-feely don't-hold-me-responsible" management, today's ISSOs are more challenged than ever before to get management to own up to their decisions.

Asking a manager to sign such a document, especially if you have voiced disagreement about the decision, should be a last resort. It should only be done if you feel so strongly about the decision that you are willing to put any possible raise or promotion, or even your employment, on the line. So, you'd better be right, and you'd better strongly believe that it is worth it. Also, as the ISSO, you must do this as an ISSO professional, a person of integrity and principles.

Even so, you may end up being right, but also right out of a job. Well, no one said that being an ISSO professional is easy.


Previous page
Table of content
Next page
The Information Systems Security Officer's Guide. Establishing and Managing an Information Protection Program
The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program
ISBN: 0750698969
EAN: 2147483647
Year: 2002
Pages: 204
Authors: Gerald L. Kovacich CFE CPP CISSP
BUY ON AMAZON
Qshell for iSeries
SQL Hacks
Managing Enterprise Systems with the Windows Script Host
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
Python Programming for the Absolute Beginner, 3rd Edition
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy