Consider the usual risk management statement:
Don't spend 1000$ to protect 100$
Now, it might just be a situation that the execs are not aware that what they want will cost 1000$; more likely that they just don't realize that they're only protecting 100$ worth.
If that is the case, you could consider trying to implement methodology that will provide some hard numbers, to replace the vague feeling of uneasiness that can accompany the fear of the big scary word "SECURITY".
If they want to be fiscally responsible, they should try to understand the actual costs, risks, and benefits. I would even try to have that discussion with them without using the word security, which just seems to be confusing and irritating them.
It is also likely that, since they dont understand it, they're worried about doing their due diligence, and/or can be held responsible (either personally or corporately) if anything goes wrong. They need to be shown how to do this effectively, and yet still be "good enough" - not to never be hacked, but to make it a fair tradeoff. Even if they do get hacked, they need plausible proof of having done their diligence, so as not to have their reputation damaged (or other similar fallouts).
I recommend using FAIR , which is a quantitative methodology for putting a price tag on specific risks.
Also see: "How do you compare risks...?" "How do you compare risks...?"
Either way, this should enable you to change the conversation from the soft, prickly, uneasy feeling of "security", to a hard talk about costs, benefit, and money. Always bring it back to showing them the money.
Worst case, if nothing else works out, put together an expensive, phased, multi-year plan. Have it prioritize the important things, as you see them, and delay to later years the issues that you would have preferred to forgo.
In most orgs, the later stuff will never get done anyway.
And even if it does, this way, you're still getting them to do the right stuff, and they're spending money on the feeling of security - which, sometimes, is important too.
Best part is, since it is in phases, you can build into the plan a re-adjustment step, between phases. Use this as a platform for a full security lifecycle... You can keep re-adjusting the unimportant phases as needed, to squeeze in other important bits.
Consider the usual risk management statement:
Don't spend 1000$ to protect 100$
Now, it might just be a situation that the execs are not aware that what they want will cost 1000$; more likely that they just don't realize that they're only protecting 100$ worth.
If that is the case, you could consider trying to implement methodology that will provide some hard numbers, to replace the vague feeling of uneasiness that can accompany the fear of the big scary word "SECURITY".
If they want to be fiscally responsible, they should try to understand the actual costs, risks, and benefits. I would even try to have that discussion with them without using the word security, which just seems to be confusing and irritating them.
It is also likely that, since they dont understand it, they're worried about doing their due diligence, and/or can be held responsible (either personally or corporately) if anything goes wrong. They need to be shown how to do this effectively, and yet still be "good enough" - not to never be hacked, but to make it a fair tradeoff. Even if they do get hacked, they need plausible proof of having done their diligence, so as not to have their reputation damaged (or other similar fallouts).
I recommend using FAIR , which is a quantitative methodology for putting a price tag on specific risks.
Also see: "How do you compare risks...?"
Either way, this should enable you to change the conversation from the soft, prickly, uneasy feeling of "security", to a hard talk about costs, benefit, and money. Always bring it back to showing them the money.
Worst case, if nothing else works out, put together an expensive, phased, multi-year plan. Have it prioritize the important things, as you see them, and delay to later years the issues that you would have preferred to forgo.
In most orgs, the later stuff will never get done anyway.
And even if it does, this way, you're still getting them to do the right stuff, and they're spending money on the feeling of security - which, sometimes, is important too.
Best part is, since it is in phases, you can build into the plan a re-adjustment step, between phases. Use this as a platform for a full security lifecycle... You can keep re-adjusting the unimportant phases as needed, to squeeze in other important bits.
Consider the usual risk management statement:
Don't spend 1000$ to protect 100$
Now, it might just be a situation that the execs are not aware that what they want will cost 1000$; more likely that they just don't realize that they're only protecting 100$ worth.
If that is the case, you could consider trying to implement methodology that will provide some hard numbers, to replace the vague feeling of uneasiness that can accompany the fear of the big scary word "SECURITY".
If they want to be fiscally responsible, they should try to understand the actual costs, risks, and benefits. I would even try to have that discussion with them without using the word security, which just seems to be confusing and irritating them.
It is also likely that, since they dont understand it, they're worried about doing their due diligence, and/or can be held responsible (either personally or corporately) if anything goes wrong. They need to be shown how to do this effectively, and yet still be "good enough" - not to never be hacked, but to make it a fair tradeoff. Even if they do get hacked, they need plausible proof of having done their diligence, so as not to have their reputation damaged (or other similar fallouts).
I recommend using FAIR , which is a quantitative methodology for putting a price tag on specific risks.
Also see: "How do you compare risks...?"
Either way, this should enable you to change the conversation from the soft, prickly, uneasy feeling of "security", to a hard talk about costs, benefit, and money. Always bring it back to showing them the money.
Worst case, if nothing else works out, put together an expensive, phased, multi-year plan. Have it prioritize the important things, as you see them, and delay to later years the issues that you would have preferred to forgo.
In most orgs, the later stuff will never get done anyway.
And even if it does, this way, you're still getting them to do the right stuff, and they're spending money on the feeling of security - which, sometimes, is important too.
Best part is, since it is in phases, you can build into the plan a re-adjustment step, between phases. Use this as a platform for a full security lifecycle... You can keep re-adjusting the unimportant phases as needed, to squeeze in other important bits.
Consider the usual risk management statement:
Don't spend 1000$ to protect 100$
Now, it might just be a situation that the execs are not aware that what they want will cost 1000$; more likely that they just don't realize that they're only protecting 100$ worth.
If that is the case, you could consider trying to implement methodology that will provide some hard numbers, to replace the vague feeling of uneasiness that can accompany the fear of the big scary word "SECURITY".
If they want to be fiscally responsible, they should try to understand the actual costs, risks, and benefits. I would even try to have that discussion with them without using the word security, which just seems to be confusing and irritating them.
It is also likely that, since they dont understand it, they're worried about doing their due diligence, and/or can be held responsible (either personally or corporately) if anything goes wrong. They need to be shown how to do this effectively, and yet still be "good enough" - not to never be hacked, but to make it a fair tradeoff. Even if they do get hacked, they need plausible proof of having done their diligence, so as not to have their reputation damaged (or other similar fallouts).
I recommend using FAIR , which is a quantitative methodology for putting a price tag on specific risks.
Also see: "How do you compare risks...?"
Either way, this should enable you to change the conversation from the soft, prickly, uneasy feeling of "security", to a hard talk about costs, benefit, and money. Always bring it back to showing them the money.
Worst case, if nothing else works out, put together an expensive, phased, multi-year plan. Have it prioritize the important things, as you see them, and delay to later years the issues that you would have preferred to forgo.
In most orgs, the later stuff will never get done anyway.
And even if it does, this way, you're still getting them to do the right stuff, and they're spending money on the feeling of security - which, sometimes, is important too.
Best part is, since it is in phases, you can build into the plan a re-adjustment step, between phases. Use this as a platform for a full security lifecycle... You can keep re-adjusting the unimportant phases as needed, to squeeze in other important bits.