Hollywood Sign

Image via Wikipedia

In movies the hacker tries to hack into a Department of Defense computer by speed-typing passwords. We all know reality is nothing like this and we see it as the joke that it is.

But business management don’t see the inherent risks as affecting business bottom line but a hindrance to another new project; they don’t see the research, the probing, the social engineering, risk impact, risk probability and overall risk as security professional do. It is our job as a security professional to show the risks in business terms to management so they can make a reasonable decision based on business risk threshold rather than emphasis on hinderance to bottom line. Remember the return on investment in security is part of doing business, it’s about reducing risks on ongoing basis and keep the company profitable on long term basis (keep making the money).

Emphasize management’s accountability for the risk and most importantly for residual risks (remaining risk after implementing a control). Put the onus on the Information Asset Owner who should be at the management level not a technical staff (may delegate responsibilities in small companies). Make clear recommendations but let them make the key decisions AND make them accountable if things may go wrong.

So yes, management is more impressed by flash and glamour, Because they know and good at analyzing the business risks but take the security risks as business inhibiting to their new project and may like to accept the risks rather than taking the time to address the issue which should be a corrective control to mitigate the existing risk to acceptable level.

What do you think – Do the Hollywood movies add any value in a sense to emphasis the information security risks as a threat to business folks or they just fictional stories which make business people ignore the information security threat?

Which one is your favorite hacker movie….

Below are the top three hackers movies

3-Hackers, 2-Untraceable, 1-WarGames