Back to newsletter

Previous Issue's Dilemma:

Scare tactics are in order

When it comes to being proactive, I have a hard time getting our executive team on board. To the tech team, it is obvious that a repeatable software security procedure or system for a repeatable way of doing things ensures stability.

However, if it requires an expense of money or time, the executive team is not so keen on giving us the budget needed. There are plenty of scary security stories out there, but what will get through to the leadership? Do your readers have some security horror stories that I can use to put the fear of God into my executive team?

 -- Jarod, (company name withheld)

There's more than one way to skin a cat ... 

Jarod, you've really hit a nerve with your question about how to scare or, let's say, shock management into valuing and budgeting for security. All of the respondents were concerned about the issue and interested in letting us know what has worked for them or what they're planning to do.

In general, they suggest you take one or more of the following steps:

1. Think up some good scare tactics.

2. Mount a realistic attack scenario.

3. Show management the bottom-line losses.

Complimentary White Paper Ten Questions You'd Better Ask to be Sure Your Company's Assets are Secure Today’s business infrastructures rely upon software applications to manage corporate assets, automate critical business process, and store private information. And most applications today contain security vulnerabilities that can be exploited for profit or malicious use. That's why most hackers today target the software, not the network infrastructure, in their attacks. What can you do to be certain your company's software -- and assets -- are secure? Start by asking TEN essential questions. Download this complimentary white paper.

Jack S., a database administrator (DBA), suggests that you use outright scare tactics such as worst-case scenarios. One "shock" method he suggests is sending management to www.cybercrime.gov, where they can find some spectacular prosecuted cases that might make them think twice about ignoring the pleas of the security team.

He says the cases include an Intel employee charged with $1 billion worth of theft of trade secrets that he intended to sell to a well-known competitor. Or the disgruntled former employee of a company who hacked its network and email to the tune of $1 million in losses. Or the guys who parked near malls and hacked retailers' wireless networks, where they could leech data from customer transactions.

"Hackers are smart, and execs really need to get online with security, or there'll be a price to pay." 

Another respondent thinks that you should take shock tactics even further. He suggests that your tech staff research the Web Hacking Incidents Database for a story that would resonate with management if it happened to your organization. He continues, "Save a copy of the story locally and edit the name of the victim organization to that of your organization; then show the story to your manager. If he buys it, let it go up the chain until it's time to call your bluff, and let them realize what could have really happened. You get bonus points if the real victim company is one of your direct competitors."

Mount a realistic attack scenario

Nathan Christiansen, a software engineer and self-proclaimed "unofficial software security evangelist," tells us that he is currently preparing a proposal for a Software Security Initiative at his company. "I am including a realistic attack scenario in the presentation. The attack is an SQL Injection Attack against a program used internally. My attacker is an outside entity with a grudge with the company who spends a little time talking with former programmers who likely took the source code home with them before they quit or were laid off (I can think of two off the top of my head).

"The attacker obtains the source code. The attacker comes up with SQL code that will delete all the tables in the database and pays off a current employee to inject the SQL code at the worst time possible."

Christiansen goes on to say, "I am currently coming up with a cost estimate of time spent recovering from the attack. The worst thing is, that with the reliance of current monitoring systems in place, it can happen multiple times without us finding the individual responsible.

"I am working with the security operations guys and the DBAs to make sure my downtime estimate is not overboard. I am making the case that a Software Security Initiative will prevent this type of attack by closing the attack vectors in the software we develop. Maybe something like this can help." 

Show management the bottom-line losses 

Some respondents believe that you have to take the high road with management. J.D. says, "The best way to get management's attention is not to bore them with technical stats like how many times the company has been attacked. It's better to show them any losses incurred -- in client access to the site, for example. Loss of business and thus profit is a strong motivator."

V. Patel agrees with this approach: "One of the things I've found is that you can't approach management with tech-heavy information. These guys are big picture and need to be bottle fed metrics and other security issues. They understand there are problems, but they need to know how important security is to their business of staying in business."

Patel suggests you "go with hat in hand and get their buy-in by outlining the larger issues."

Even though management would sometimes rather slap a patch on security and declare it "fixed," it behooves your tech team to keep management focused on the real threats to the organization's assets -- either with shock tactics or by shining a spotlight on the bottom line.