Too many security folks push security for its own sake–they insist things should be locked down, blocked, and forbidden.
Good security, as well as risk management, is a matter of degree. You need to secure just enough to get by. In other words, don’t spend time, effort, and money implementing security that you don’t need and/or management has not approved.
Good security is not overbearing and difficult, but sometimes the only way to secure a poorly designed (or built) system is to bolt security on in an unfortunate way that gets in the way of business a bit. Sometimes, the business throws caution to the wind and doesn’t allow you to secure it.
Kinda like those NT 4 servers we had in the DMZ until recently. The business would not take the time to test the 2003 servers we had built and config’d to replace them. We waited two years for the business to get ‘er done. But the applications running on the old NT 4 couldn’t be turned off. They simply pulled in too much money. Even after other servers in the DMZ were hacked, management did not insist the business migrate to higher ground (how the attackers missed these servers, who knows, but they missed the credit card numbers they were looking for too).
No, the security team didn’t like those NT 4 servers. It didn’t make sense to us. In fact, it was plain stupid.
However, we always remember that we serve the business, not the other way around. If our security staff highlights the risk, the cost of securing something, and the trade offs, then we’ve done our job. It was time to shut up and let management do its job – manage — by deciding what to do.
(Take a deep breath before reading further…)
If management doesn’t care, then the security staff shouldn’t either, at least until next year. Kindly bring it up again and let management decide again (just like auditors do). To pursue security over management’s wishes wastes time and effort–the security staff’s and management’s. Ultimately, those wasted efforts fall to the bottom line and can impact shareholders (I’ve seen these issues get that big in large companies when executives battle).
Also, you get the reputation of “not thinking globally” and “not understanding how the business generates revenue” or whatever they call it at your firm. You are not seen as an enabler, but a disabler. Who needs more enemies? Focus on the issues that management DOES care about (they evaulate you on those issues, right?).
If management accepts the risks and finds their backsides bared later, it is management’s fault, not security’s (although it often isn’t viewed that way, so practice a little CYA).
Simply stated, security teams are not hired to ensure the environment is secure; they are hired to ensure the environment is as secure as the business desires it to be (or put another way, to enable systems, applications, and users to get their jobs done in an efficient and effective manner, which may include social networking applications and other “undesirables”). Part of the job description is telling the business when you believe it is heading down the wrong path, suggesting alternate paths, and giving them the risk, cost, and probabilities they face on each path.
Security teams advise; management decides. If you disagree, I’d like to know why.