Kevin Beaver's Security Blog

Question posed to me about IT operations not being on board with security

Here’s an interesting question someone asked me recently regarding some in-fighting about security along with my brief response on how to fix the problem. I see this ALL the time!:

“I work in a company as the sole information security analyst. My job is to identify risks, set policy, and audit our IT environment against the policies I wrote. I am currently working with IT operations staff on mitigating risks based on vulnerability scans to our environment. So, I run a report and analyze the results and pick the high-priority critical vulnerabilities to our environment and submit them to IT operations to mitigate. They manage the tactical operations of servers, network gear, etc.

Problem is that they only want to do the easy ones, Windows patching, and not the harder ones. Like applying Cisco IOS critical updates or VMware security updates that come out once a quarter. Their excuse is that it causes too much risk to the environment and might break something and that since we are behind a firewall we are not vulnerable. Their favorite line is “we are not vulnerable, that is a very low risk” or “I have never worked at an environment where we patched Cisco devices or VMware servers (host).”

What would you counter with as a persuasive argument? Because I don’t have the time or money to create a risk analysis for each and every vulnerability that pops up each month. Sometimes I feel that they just don’t want to do anything, but that’s another discussion.”

Here’s my short and sweet response:
This is something you’ll be fighting until the end of time unless and until you get management on board with security. That’s going to be the key to getting this stuff worked out. I’m going to be developing an audio program on selling security to management that will address this very issue and much more. If you sign up for my mailing list at securityonwheels.com you’ll be notified when it’s available.