Sometimes, no matter how hard you try, you can't get management on board. When management refuses to see reason, and security is treated as the unwanted stepchild of business priorities, you can still do something: you can protect yourself.
Sometimes, no matter how hard you try, you can't get management on board. Maybe there's nothing you can do to get upper management to realize the importance of a new security initiative in your organization, the importance of improved security measures.
It is an all too common complaint that, when an information security initiative is in the works, many of the affected departments might be interested — but upper management might be "sitting on their hands," and some affected departments might even be arguing against the needed changes because of perceived inconvenience. When management refuses to see reason, and security is treated as the unwanted stepchild of business priorities, you can still do something.
What to do
Make sure you document all communications with upper management, to the best of your ability, in your campaign to get better support for security initiatives in your organization. While I generally deplore the CYA approach to doing business, there are times when covering yourself in case of disaster becomes the only avenue left open to you.
One of these times is when, after great and long effort to garner support for improved security measures, management refuses to budge and you are effectively left open to disaster. When you can't do your job, make sure you have documentation for how exactly you were prevented from doing so, so that when the fit hits the shan it won't be so easy to turn you into a scapegoat.
If you find yourself backed into the kind of corner where a CYA policy is the only policy you can really implement, you also need to start circulating your resume. Covering yourself in case of disaster won't advance your career — it'll just help you keep your current job if something goes wrong (maybe). A much better outcome would be to get a job where that's not an issue.
Moving on is, in fact, sometimes the only thing you can do. There are instances where no amount of documentation is going to save your job. Sometimes, the very act of trying to advocate for good decisions may be what jeopardizes your job in the first place, simply because you aren't agreeing with something a higher-up has said — I've been there, personally. Don't find yourself out of a job because you didn't start looking for a new one soon enough.
What not to do
Don't just settle in and get comfortable somewhere that you cannot effectively advocate for better policy. There is no such thing as 100 percent job security, especially when IT security is neglected — because a single catastrophic failure of IT security could lead to a restructuring, an orgy of blame assignment, or even the end of the company.
If you get complacent somewhere that management refuses to consider good security practice, you run substantial risk of burying your career. If you can't effectively push for change within the organization, you should be looking for a change of organizations — for a new place to work. Some organizations just can't be saved.
In the meantime, while working for such an unreasonable organization, CYA.