Friday, December 3, 2010

Managing Expectations for Security

Whether you are leading a new security program or leading an existing one that left many with sour memories, or worse both, Management may have a perception that you are a heroine here to save the day. Similarly, as a security professional, we oftentimes think a product we purchase may do just that (more about this later).

Nevertheless, it is of immeasurable importance to manage expectations as early as possible, best when you broadcast the chart you course (or your Security Roadmap).

Suppose your company does not give anyone the sense that you are secure or safe. Just because you have been appointed doesn't mean the change will happen overnight, in a month, a year, or even two years. Furthermore, you need to reinforce to Management that very expectation.

Why?

Changing brand perception is one of the most difficult things any company can do. Whether it is to change a perception that this Company can perform services or products very different from what is done today. Think about the American auto industry. It was over 10 years ago that they delivered some of the worst quality products to date. However now, Ford is one of the top rated manufacturers of quality yet many Americans, previously trusting then horridly burned (some literally), are hesitant to return to Ford. Changing a brand perception takes years. Microsoft has been working on it since Windows 95 and now in Windows 2003, 2008, (let's not think about Vista), and Windows 7, they have begun to show they can help set the pace in software security (how many others have modeled their vulnerability management program using Microsoft as an example to improve upon).

If changing brand perception takes years, losing it takes only days or months (think about BP). Reputation is easy to destroy, hard to build and maintain.

Oftentimes, customers don't demand security or explicitly ask for it. They expect it. It's something they don't think about or necessarily ask for unless they are already quite aware of the need for and importance of security. Thus, it is a frivolous point to say that we don't need security because not a lot of people ask for it. Or we don't need to fix this because not a lot of people reported it. Security vulnerabilities are defects but defects are not security vulnerabilities.

These are one of many expectations that must be managed and concepts instilled.

No comments:

Post a Comment