Part 2: How to Ruin your Security Program in 3 Easy Steps (A guide for the C-Suite)

Hey there thought leader!  Corporate security is so nebulous, confusing and even worse, a non-revenue generating cost center.  Everybody wants the best value for their dollar, so how do you get the most of a security department while putting in as little infrastructure as possible?  The short answer is, nobody knows.  But if you’d like to get the least out of your security program, here are 3 easy steps to follow.

1.     DENY EVERY REQUEST FOR FUNDING

Let’s face it, your CSO is an annoying nerd who only ever asks for useless gadgets and always thinks the sky is falling.  You know it’s impossible to mitigate all risks, so why bother trying to mitigate some of them.  Or even be aware what they are.  Here is where you’ll want to stick to the age-old adage, “I’ll deal with that when it becomes a problem.”

You already probably have some legacy security infrastructure, so just make the most of what that.  If your CSO complains that the technology is out of date, just remind him that security is all about the fundamentals and tell him to focus his time on writing long confusing policies that no one will understand.  Remember, the difference between a successful security program and a bad one whether or not you have a policy.  Also, you employ smart people, and they will definitely look it up on their own if they need to know about it, so make sure you don’t offer any training on the new policy for staff.  It would just lower their productivity anyway.

2.     DON'T WASTE TIME ATTENDING SECURITY BRIEFINGS

Security briefings are boring, and always just cover the basics.  You’ve been doing this long enough that you’ve seen and heard it all, so you can leave the security briefings to the employees.  Also, if your CSO tries to book on your calendar to brief you directly, decline the meeting and tell him to schedule with a more junior employee.  Security matters rarely affect business goals, so it’s okay if you’re out of the loop on the latest items.  If it’s really important, your staff will tell you.

3.     ALWAYS REMEMBER "THE RULES DON'T APPLY TO ME"

Any good C-Suite executive knows their time is valuable.  Approximately 50-100 times more valuable than your regular employees.  Because of this, you will want to make sure security is not an impediment to YOUR job.  Besides, you’re at the top of the company, so there’s no way for you to introduce risk to the org.  Without you, there wouldn’t be an org to begin with.  To this end, you will want to make sure you find a workaround for every security policy.  Put a picture of your face at every desk and have the security guards bypass the badging system for you.  Don’t waste time with 2-factor authentication, just have IT turn that off for your machine.  Also, for image maintenance you should be regularly seen loudly complaining about how annoyed you are by basic security procedures.  This will let your employees know that you are orders of magnitude too important for those small inconveniences.

There is really no downside to this strategy.  Employees will not be influenced by your behavior and will still maintain security practices despite seeing you flagrantly disregarding them.  Besides, enforcing security standards is someone else’s and you pay them.  So, if they inconvenience you, remind them they are replaceable.

BRINGING IT ALL TOGETHER

There you have it, three easy steps which are all but guaranteed to ruin the effectiveness of your security program.  So, sit back, relax, and watch as your efficiency improves with no unintended consequences.  The best part is, once you’ve shown proof of concept, you’ll able to cut back on a lot of your costs, like your security director, badges, and software subscriptions, which will really be great for the bottom line.

If you’ve made it this far, and still haven’t realized this is satire, I’m proud of you for making your way in life on your own terms.  If you’re interested in having a security program that actually functions – go to your CSO/director and ask him what are the top three concerns he has about your security program and really listen.  If you don’t have a security director, or don’t know where to start, Lexington Security Consultants can help.  Give us a call today to get on the right track and don’t be like the fictional executive we described above.