IT Employment

What do you do if management won't get on board?

Sometimes, no matter how hard you try, you can't get management on board. When management refuses to see reason, and security is treated as the unwanted stepchild of business priorities, you can still do something: you can protect yourself.

Sometimes, no matter how hard you try, you can't get management on board. Maybe there's nothing you can do to get upper management to realize the importance of a new security initiative in your organization, the importance of improved security measures.

It is an all too common complaint that, when an information security initiative is in the works, many of the affected departments might be interested -- but upper management might be "sitting on their hands," and some affected departments might even be arguing against the needed changes because of perceived inconvenience. When management refuses to see reason, and security is treated as the unwanted stepchild of business priorities, you can still do something.

What to do

Make sure you document all communications with upper management, to the best of your ability, in your campaign to get better support for security initiatives in your organization. While I generally deplore the CYA approach to doing business, there are times when covering yourself in case of disaster becomes the only avenue left open to you.

One of these times is when, after great and long effort to garner support for improved security measures, management refuses to budge and you are effectively left open to disaster. When you can't do your job, make sure you have documentation for how exactly you were prevented from doing so, so that when the fit hits the shan it won't be so easy to turn you into a scapegoat.

If you find yourself backed into the kind of corner where a CYA policy is the only policy you can really implement, you also need to start circulating your resume. Covering yourself in case of disaster won't advance your career -- it'll just help you keep your current job if something goes wrong (maybe). A much better outcome would be to get a job where that's not an issue.

Moving on is, in fact, sometimes the only thing you can do. There are instances where no amount of documentation is going to save your job. Sometimes, the very act of trying to advocate for good decisions may be what jeopardizes your job in the first place, simply because you aren't agreeing with something a higher-up has said -- I've been there, personally. Don't find yourself out of a job because you didn't start looking for a new one soon enough.

What not to do

Don't just settle in and get comfortable somewhere that you cannot effectively advocate for better policy. There is no such thing as 100 percent job security, especially when IT security is neglected -- because a single catastrophic failure of IT security could lead to a restructuring, an orgy of blame assignment, or even the end of the company.

If you get complacent somewhere that management refuses to consider good security practice, you run substantial risk of burying your career. If you can't effectively push for change within the organization, you should be looking for a change of organizations -- for a new place to work. Some organizations just can't be saved.

In the meantime, while working for such an unreasonable organization, CYA.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

6 comments
apotheon
apotheon

How do you cover yourself in case of catastrophe when you just can't get upper management to let you secure your systems? Have you ever had to leave a job under such circumstances?

nwoodson
nwoodson

I've said this before in posts on other blogs. The issue that I'm perceiving is the professional ignorance of the non-technical managers. The "You serve a support function only" attitude is the root of this type of problem. People like that have to have the gravity of poor technical judgement impressed upon them one way or another. I watch a lot of really poor decisions being made, give and document my input then when there's a failure I set out to correct it. I do, however, remind the individuals in question that they made the call...I'm just cleaning up as much as possible. We can't change the senior staff's mind most of the time simply because we're outnumbered. Slick salespeople or "fact-finding" teams or even autocratic leaders who know everything generally can't be dealt with lest you have adequate (read: superior) authority. Communication skills help, but if nobody is listening the point is moot. You'll hear something like, "I want what I want and I want it now." Please note...a lot of I there and no team. It isn't necessarily the best approach and the only reasons I get away with it are my personality and competence. I do wish all of my fellow techies well in those endeavours. We need to educate as much as conduct operations...and educating the unwilling and unknowing is infinitely harder.

Dana44
Dana44

to job hop because you can't or don't know how to present your ideas in a way that will get them approved. I agree that there are times a CYA file is needed, but how your article is presented makes is sound like when you don't get your way change jobs. Before I read the article I was hoping to get tips on different ways to present things to management. Oh well, disappointment seems to be the theme when reading TR not the exception. Should I give up on TR then?

jdmercha
jdmercha

1. Document everything 2. Document everything 3. Document everything The next thing to do is start looking for another job. Because when the sh** hits the fan, you'll be the one it hits. If you have your suggestions and their responses well documented then you will not be fired. However you will still have to take the heat and they will start looking for other ways to let you go, such as reorganization. After all, it can't be their fault. I've been there.

NotSoChiGuy
NotSoChiGuy

...for a similar reason. It wasn't security related, it was project related. The consultants they brought in for the project were prone to 'seagulling'. They weren't around enough to have any sense of the cultural /change management dynamics that were critical to the success of the project. Despite repeated discussions with the org hierarchy, nothing was done. I also started getting the impression that it was going to be me who was thrown under the bus (project was going long on time and budget, work environment went into the toilet, technologies were problematic...pretty much all the things I warned them about), so I left preemptively. As unfortunate a statement as it is regarding the American workplace, I learned long ago (at a Big 4 consulting firm) the value of a CYA folder. Employers seem to expound on the greatness of teamwork, but anyone that doesn't have their head on a swivel is prone to have it on a chopping block!

apotheon
apotheon

"[i]I agree that there are times a CYA file is needed, but how your article is presented makes is sound like when you don't get your way change jobs.[/i]" There are people who think this way -- and, frankly, the organization would be better off without them. The people I'm actually trying to address here, though, are the people who can make a reasonable assessment of the situation and realize that there's no honor in going down with a sinking ship, at least when it's sinking because good policy is forbidden. How you read the article depends on who you imagine is reading it, I suppose. "[i]Before I read the article I was hoping to get tips on different ways to present things to management.[/i]" I'm actually planning to address such issues in the near future, but this article was -- as the title says -- about what to do when you [b]can't[/b] get management to go beyond minimal compliance, to support implementation of even basic security protections, or to recognize the elephant in the room as something to be addressed. I can't speak for others, but in my case (when the headline doesn't get edited by someone else), the actual wording of the headline is probably a clear indicator of its content. If management [b]won't[/b] get on board -- literally [b]will not[/b] -- there isn't much you can do to solve the problem. Under such circumstances, you may have to remove the problem from your professional life by some other means.