There are many ways to increase security in your company, if that is your thing. Most managers will, however, find these ten tips on how to avoid security, much more useful. First published on this blog in 2007, I hereby repost my tips on how managers can avoid security. These tips are, in my humble opinion, still relevant today, and by following them, you will ensure that your company is ready when disaster strikes – ready to roll over and die!
Not ready to roll over and die, you say? Well then, use the tips as a way to discover how not to protect yourself and your company. If you already to one or more of these things, it is about time to reconsider your approach to security.
Here comes the original piece, with some edits for readability. Typos and grammar are, well probably still carrying my strong accent!
The Top Ten tips on Avoiding Security for Managers
I have noticed that all to many business managers and executives are digging into security. They have this strange idea that securing information and systems are important to their business.
If you are such a manager, or if you have one of those in your team – here are ten top reasons why you really should reconsider. If you have one in your team, give him this list and he should be getting the idea.
10: Make security a non-management issue
Make sure that you avoid taking security up to your level. If security is relevant at all in your company, make sure you keep it way under your radar. Best thing is to give it to the IT-department, so they can buy their firewalls and other stuff you do not want to hear about. After all, you do not want to bother your management team with issues of what parts of your business development, research and logistics are critical to your business, nor do you want them to worry about how to keep your competitors away from your marketspace.
So to make sure your management keep their focus on their particular tasks, make sure you never, ever bring security to the management table.
9: Avoid internal security policies
Policies are broad descriptions of how to relate the daily operations to security. Policies enables the management to describe actions and behaviors that are considered correct. Of course you do not want to bother your management team to think about such issues, and heaven forbid if you should tell your employees what to do and how to behave. To make sure you avoid controlling the behaviors of your organization, avoid security policies.
8: Never value your information
By making information a value to your organization, you automatically identify it as a potential security risk. If your CFO starts believing he is actually working with information someone cares about and values, he just might start selling it off to the highest bidder. And if your business development team realizes there is a value in the future merger they are working on, they may have to start screening their members, and use security measures to keep the other employees away from the information. It might be expensive, so unless you want to invest in training and technology, you really must stay away from thinking information has a value in it self.
7: Never grade the information
Grading information is the same as with valueing information. – it just takes it one step further. A simple grading scale may have only three steps – public, internal and management only. You really need to stay off this course – not only due to the level of buraucracy it adds to your allready heavily burdened organization – but because grading information really tips your employees and partners off that you think your information has value. They may actually start looking for graded information to sell off at the lunch diner or to the highest bidder. Which means you need some kind of security measures to ensure that only those eyes who are intended to see the files have access to them.
So in order to avoid large spendings, training and sneaking employees, you should never walk the path of grading information.
6: Do not care about risk assessments
Risk assessments are the art of guess what the chance that a certain risk may occure. As a manager, you are allready aware of the fact that it NEVER happens to you, nor your company. It may happen to your neighbour. To your competitor. And to the very best in your area. But it will NEVER happen to you. So there is no need what so ever to spend money, time and efforts in trying to guess how many laptops you will loose during the next 12 months, nor to figure out what a virus attack may cause your organization if it locks down your hole production facility. It will never happen, so save the cash and spend it on a dinner for your major client instead.
5: Knowlegde is overrated
Training your staff and employees about how to avoid virus, trojans and sexy young people asking funny questions is total waste of time and money. After all, when they are at the training, they are not able to do their work. When they get back to work, they start seeing threats all over. You may getting questions about why the Printer Repair guy is walking about in your offices and asking questions not at all related to printing. And your IT-manager may complain that noone calls him to reset the passwords or to clean out spyware from the computers anymore. And certainly, you would not want the IT-manager spending time on detecting, prevention and tuning your systems, now, would you? So make sure your employees are left in the dark. It is the cheapest thing to do.
4: No need for continuity planning
If someone in your organization starts talking about continuity and disaster preparations and planning for the worst, make sure your show them point 5 above. As I have established, all the bad things happens to the others – never to you. NEVER. So planning for disaster is a huge waste of time and money, something best left to your competitors. After all, their factory may catch on fire, and they need to be able to keep up the production to make a profit. Nothing you need to care about at all, as it will never happen to you.
So when you hear the buzz about planning for disaster, make sure you can stuff your ears with cotton, and just hum a tune you like.
3: Avoid security experts
When the security experts enters the building, the first thing they do is to figure out how to scare you to pay their huge and overrated invoices. Their knowledge and expertise is highly over rated, after all most are just techno geeks or former intelligens people with no understadning about running a business what so ever. All they care about is to invade your company with methods, rules, policies and tools. They even offer to train your staff. If you ever come across a security expert, make sure you never let him or her enter your premisses. Most of these people are hackers and social engineering specialists – who knows who they are really working for – and what they will take with them when they leave. Not that it matters to you – if you followed points three and four above!
2: Compliance is waste of money.
Compliance is the art of following the rules and regulations stated in laws like SoX, HIIPA, Basel II, PCI and in standards like ISO. They claim they are there to protect against missuse of information, or to ensure the quality of the information. As we allready agree, information has no value at all, so there is no need to care about compliance.
What’s more, who really cares about what shareholders, local governments and customers may think of you if something should happen? (Not that something ever will happen to you). It is a fact that a few customers are requiring compliance by all its partners. That is just a short-term missunderstanding, made by only a very few, non important producers like Mercedes Benz, Volvo, HP and a couple of others. Not at all relevant to you, and a total waste of time and cash. Make the right decision – stay off the compliance case!
1: Simple is bad – make things complicated!
Some claim simplicity is key. One password, simple rules, easy-to-use systems. What on earth makes people say that? The harder it is for your regular users to get access to a system, the harder it must be for everyone else. And Post-It notes is a great tool to jot down the ten-folds of passwords. And what would your users do with all the extra time if they only had to remember to bring with them one simple password? Surely it would be spent surfing for porn or sending emails to their family.
Another important thing is to confuse people. Just change policies every week. You may also enjoy changing them daily or even by the hour. Make routines so complicated they are impossible to follow.
Kiss goodby to good old KISS – the Keep it simple, stupid, and confuse everyone with complicated rules and procedures. Have you considered handing out three different access cards to the building to your employees? One for the parking lot, one for the main entrance, and one for the elevator. It works every time!
I first published this back in 2007, and because it is equally relevant today, I wanted to share it with my readers again in 2015. I hope you enjoyed!
What are your best tips to help managers avoid security in your company? Share them in the comments!