Product Manager Doesn’t Care About CybersecurityShould I care about the coworker next to me while he dozes off and our boss doesn't care?Can I visit contractor location without manager approval?Confront the manager in a constructive safe manner about lack of workHow to ask my manager if I am about to be fired?How do I deal with a superior who seems more interested in respect than the issues?How to convince manager of need for additional security testing before releaseSwitching teams because current manager doesn't care about my work?how to ask manager to evaluate me as product managerHiring at industry events in cybersecurityManager is not replying about permission to use dummy data

How did sloshing prevent the Apollo Service Module from moving safely away from the Command Module and how was this fixed?

Finding integer database columns that may have their data type changed to reduce size

Is よう an adjective or a noun?

Why is the saxophone not common in classical repertoire?

How come having a Deathly Hallow is not a big deal?

When do I make my first save against the Web spell?

If a creature is blocking and it has vigilance does it still tap?

Which are more efficient in putting out wildfires: planes or helicopters?

Is it possible that Curiosity measured its own methane or failed doing the spectrometry?

Isn't "Dave's protocol" good if only the database, and not the code, is leaked?

Phrasing "it says" or "it reads"

How to create a 2D table with varying step?

What does "another" mean in this case?

What is the difference between a historical drama and a period drama?

Can you use a reaction to affect initiative rolls?

My players like to search everything. What do they find?

What caused the flashes in the video footage of Chernobyl?

How can I get a file's size with C++17?

What instances can be solved today by modern solvers (pure LP)?

PhD: When to quit and move on?

Sleepy tired vs physically tired

Has there ever been a cold war other than between the U.S. and the U.S.S.R.?

Does this circuit have marginal voltage level problem?

What is a "tittering order"?



Product Manager Doesn’t Care About Cybersecurity


Should I care about the coworker next to me while he dozes off and our boss doesn't care?Can I visit contractor location without manager approval?Confront the manager in a constructive safe manner about lack of workHow to ask my manager if I am about to be fired?How do I deal with a superior who seems more interested in respect than the issues?How to convince manager of need for additional security testing before releaseSwitching teams because current manager doesn't care about my work?how to ask manager to evaluate me as product managerHiring at industry events in cybersecurityManager is not replying about permission to use dummy data






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








7















Recently it was discovered that one of the open source packages we were using in our software was deemed vulnerable many years ago. It is no longer maintained. It is also too costly to remove and replace. I informed my Product Manager who responded with “What do you want me to do about it?” My response was that I was informing you because it will have to be reported up the chain. The response back was “Again, what do you want me to do about it?” Weeks later and the manager is still ambivalent. It is a product that is used worldwide. After the manager’s second reply, I stopped responding. We are not able to make changes without the product managers approval.



What would be the correct response in this situation? I showed the response to a coworker and his response was that the manager was in the wrong and shouldn’t have responded that way.










share|improve this question



















  • 1





    You say it's "too costly to remove and replace" and that you "are not able to make changes without the product manager's approval". It's not clear from this question which changes you are hoping for them to approve. Perhaps the PM is literally looking for recommendations for how to address the problems ("What do you want me to do about it?"). Raising it up chain without a suggested course of action is probably not going to be very productive.

    – combinatorics
    Dec 15 '18 at 22:40











  • @combinatorics: at my company, that is the norm. The recommendation was to upgrade it which the PM response was “What do you want me to do about it?”

    – Brian
    Dec 15 '18 at 22:49






  • 1





    Well, what do you want him to do about it? Did you propose an alternative solution? Is there one?

    – Seth R
    Dec 18 '18 at 4:04











  • In all honesty, I would be first more worried about the maintenancy aspect of theatunmaintened component than cybersecurity first. Unless this component play a major role in itself in the security of your application.

    – Walfrat
    Dec 18 '18 at 12:45


















7















Recently it was discovered that one of the open source packages we were using in our software was deemed vulnerable many years ago. It is no longer maintained. It is also too costly to remove and replace. I informed my Product Manager who responded with “What do you want me to do about it?” My response was that I was informing you because it will have to be reported up the chain. The response back was “Again, what do you want me to do about it?” Weeks later and the manager is still ambivalent. It is a product that is used worldwide. After the manager’s second reply, I stopped responding. We are not able to make changes without the product managers approval.



What would be the correct response in this situation? I showed the response to a coworker and his response was that the manager was in the wrong and shouldn’t have responded that way.










share|improve this question



















  • 1





    You say it's "too costly to remove and replace" and that you "are not able to make changes without the product manager's approval". It's not clear from this question which changes you are hoping for them to approve. Perhaps the PM is literally looking for recommendations for how to address the problems ("What do you want me to do about it?"). Raising it up chain without a suggested course of action is probably not going to be very productive.

    – combinatorics
    Dec 15 '18 at 22:40











  • @combinatorics: at my company, that is the norm. The recommendation was to upgrade it which the PM response was “What do you want me to do about it?”

    – Brian
    Dec 15 '18 at 22:49






  • 1





    Well, what do you want him to do about it? Did you propose an alternative solution? Is there one?

    – Seth R
    Dec 18 '18 at 4:04











  • In all honesty, I would be first more worried about the maintenancy aspect of theatunmaintened component than cybersecurity first. Unless this component play a major role in itself in the security of your application.

    – Walfrat
    Dec 18 '18 at 12:45














7












7








7








Recently it was discovered that one of the open source packages we were using in our software was deemed vulnerable many years ago. It is no longer maintained. It is also too costly to remove and replace. I informed my Product Manager who responded with “What do you want me to do about it?” My response was that I was informing you because it will have to be reported up the chain. The response back was “Again, what do you want me to do about it?” Weeks later and the manager is still ambivalent. It is a product that is used worldwide. After the manager’s second reply, I stopped responding. We are not able to make changes without the product managers approval.



What would be the correct response in this situation? I showed the response to a coworker and his response was that the manager was in the wrong and shouldn’t have responded that way.










share|improve this question
















Recently it was discovered that one of the open source packages we were using in our software was deemed vulnerable many years ago. It is no longer maintained. It is also too costly to remove and replace. I informed my Product Manager who responded with “What do you want me to do about it?” My response was that I was informing you because it will have to be reported up the chain. The response back was “Again, what do you want me to do about it?” Weeks later and the manager is still ambivalent. It is a product that is used worldwide. After the manager’s second reply, I stopped responding. We are not able to make changes without the product managers approval.



What would be the correct response in this situation? I showed the response to a coworker and his response was that the manager was in the wrong and shouldn’t have responded that way.







communication manager security






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 18 '18 at 0:57









Anthony

6,26916 silver badges62 bronze badges




6,26916 silver badges62 bronze badges










asked Dec 15 '18 at 22:19









BrianBrian

2,0251 gold badge6 silver badges11 bronze badges




2,0251 gold badge6 silver badges11 bronze badges







  • 1





    You say it's "too costly to remove and replace" and that you "are not able to make changes without the product manager's approval". It's not clear from this question which changes you are hoping for them to approve. Perhaps the PM is literally looking for recommendations for how to address the problems ("What do you want me to do about it?"). Raising it up chain without a suggested course of action is probably not going to be very productive.

    – combinatorics
    Dec 15 '18 at 22:40











  • @combinatorics: at my company, that is the norm. The recommendation was to upgrade it which the PM response was “What do you want me to do about it?”

    – Brian
    Dec 15 '18 at 22:49






  • 1





    Well, what do you want him to do about it? Did you propose an alternative solution? Is there one?

    – Seth R
    Dec 18 '18 at 4:04











  • In all honesty, I would be first more worried about the maintenancy aspect of theatunmaintened component than cybersecurity first. Unless this component play a major role in itself in the security of your application.

    – Walfrat
    Dec 18 '18 at 12:45













  • 1





    You say it's "too costly to remove and replace" and that you "are not able to make changes without the product manager's approval". It's not clear from this question which changes you are hoping for them to approve. Perhaps the PM is literally looking for recommendations for how to address the problems ("What do you want me to do about it?"). Raising it up chain without a suggested course of action is probably not going to be very productive.

    – combinatorics
    Dec 15 '18 at 22:40











  • @combinatorics: at my company, that is the norm. The recommendation was to upgrade it which the PM response was “What do you want me to do about it?”

    – Brian
    Dec 15 '18 at 22:49






  • 1





    Well, what do you want him to do about it? Did you propose an alternative solution? Is there one?

    – Seth R
    Dec 18 '18 at 4:04











  • In all honesty, I would be first more worried about the maintenancy aspect of theatunmaintened component than cybersecurity first. Unless this component play a major role in itself in the security of your application.

    – Walfrat
    Dec 18 '18 at 12:45








1




1





You say it's "too costly to remove and replace" and that you "are not able to make changes without the product manager's approval". It's not clear from this question which changes you are hoping for them to approve. Perhaps the PM is literally looking for recommendations for how to address the problems ("What do you want me to do about it?"). Raising it up chain without a suggested course of action is probably not going to be very productive.

– combinatorics
Dec 15 '18 at 22:40





You say it's "too costly to remove and replace" and that you "are not able to make changes without the product manager's approval". It's not clear from this question which changes you are hoping for them to approve. Perhaps the PM is literally looking for recommendations for how to address the problems ("What do you want me to do about it?"). Raising it up chain without a suggested course of action is probably not going to be very productive.

– combinatorics
Dec 15 '18 at 22:40













@combinatorics: at my company, that is the norm. The recommendation was to upgrade it which the PM response was “What do you want me to do about it?”

– Brian
Dec 15 '18 at 22:49





@combinatorics: at my company, that is the norm. The recommendation was to upgrade it which the PM response was “What do you want me to do about it?”

– Brian
Dec 15 '18 at 22:49




1




1





Well, what do you want him to do about it? Did you propose an alternative solution? Is there one?

– Seth R
Dec 18 '18 at 4:04





Well, what do you want him to do about it? Did you propose an alternative solution? Is there one?

– Seth R
Dec 18 '18 at 4:04













In all honesty, I would be first more worried about the maintenancy aspect of theatunmaintened component than cybersecurity first. Unless this component play a major role in itself in the security of your application.

– Walfrat
Dec 18 '18 at 12:45






In all honesty, I would be first more worried about the maintenancy aspect of theatunmaintened component than cybersecurity first. Unless this component play a major role in itself in the security of your application.

– Walfrat
Dec 18 '18 at 12:45











4 Answers
4






active

oldest

votes


















14














Don't in general go to managers with problems unless you also have a solution.



"This is no longer supported and is buggy" is less useful then "this is no longer supported and is buggy, but I have had a look and cooking up a patch to fix the library will take X days, replacing the library with a more modern one Y days (but then we won't have to keep patching), and doing nothing costs nothing but exposes us to the risks A, B & C, which option would you like me to do?".



Try very hard to never go to manglement with a problem without also offering solutions, it is mostly pointless.



Regards, Dan.






share|improve this answer


















  • 1





    Also, you will have to get much more specific than "this software is vulnerable". To what? Is that risk mitigated in other ways? Could other mitigation be added? Any other options you can think of other than replacing the whole thing?

    – Peter
    Dec 16 '18 at 1:35






  • 14





    I find this advice "don't go to your manager with problems if you don't have the solution" quite ridiculous. I am quite capable of finding problems that I have no idea how to fix. Not telling my boss about them would be absolutely irresponsible. Maybe I have had the luck to always work with managers who are not morons who'd rather not hear about problems.

    – gnasher729
    Dec 16 '18 at 15:50







  • 1





    @gnasher729 maybe its just because I do engineering at a reasonably senior level, but even if the solution is "We don't have the in house skills to solve this, but we can use so and so as a consultant", I would always try to offer a fix. Of course going to management to give information "project foobar is running late because..." or to seek information about priorities "We don't have the resources to ship both the projects on time because... Which one should be prioritised?" are entirely valid. Information is good, information with some actionable choices is better.

    – Dan Mills
    Dec 16 '18 at 16:19











  • One potential solution would be to have the manager add the issue to the product or companies risk register (if there is no risk register, this should be on the risk register as well). If you have a Risk&Assurance person floating around, you could mention it to them as well.

    – Jamie
    Dec 18 '18 at 0:45






  • 2





    @Walfrat I am guessing you run with a different set of developers or a very different culture, because if my management tried that on our dev shop they would find that they didn't have a dev team remarkably quickly. We poke, we prod, we hack, its what we do, and actually if you use libraries in your code the time taken to really understand how they work is generally WELL spent (How else will you know where the odd corner cases are likely to be hiding, much better to find those while playing then when on a deadline).

    – Dan Mills
    Dec 18 '18 at 19:47


















9














Be honest. Tell your manager that you don’t expect him to do anything, you just want to be able to honestly say that you informed your superior about this issue on a regular basis in the event that using the product as-is results in a breach of some sort. That you understand that it’s not your job to do cost/benefit analysis for fixing, switching or ignoring the issue, but you do feel it is your job to keep management informed of such issues as they become apparent to you.



This probably won’t endear you to your manager...






share|improve this answer






























    7














    Assess the vulnerability and the cost of implementing fixes or workarounds.



    You say that this is an open-source projects that is no longer maintained. You can therefore:



    • Check to see if a maintained fork exists. A 'fork' is where someone took the original code and maintains/updates it as a seperate product.


    • Create a fork and address the security concerns yourself as a company. Bear in mind that if the original code was licensed under the GPL (any version or derivative), you legally cannot keep the code in-house if the software package is being distributed outside of your company.


    I would do number one first, then entertain number two. Either way, you have a solution you can give to your project manager.






    share|improve this answer























    • I disagree, doing that require time, time in job means money, money that, unless you're in R&D is not meant to do that but to develops. For me the first step is first to raise an issue, if the one handling it don't want you do take time to even perform an analysis, it's their choice, their responsability.

      – Walfrat
      Dec 18 '18 at 12:40











    • @Walfrat "I disagree, doing that require time, time in job means money" and I can guarantee you that having your software hacked with known vulnerabilities to the point where just using your product puts users or their assets in danger costs quite a bit more. "For me the first step is first to raise an issue" The open source package is unmaintained; there is no one to raise the issue to. If you are talking about the product manager, the product manager is asking OP for a solution.

      – 520
      Dec 19 '18 at 18:48












    • I agree, the OP made a good choice, now their manager should decide if he wants to spend time to have OP look for a solution now, later, or drop the problem. The OP could eventually have more information like how long will it take for him to assess the vulnerability. You answer is good I just think it miss that one step.

      – Walfrat
      Dec 20 '18 at 10:27


















    2














    I currently work as an analyst on the IT security team at my company, formerly having transferred as an security auditor. I will provide a framework that I think you can use, and for which I have used on numerous occasions with success in my current role.




    Analyze the vulnerability found




    Your first task prior to escalation should be to analyze the vulnerability. In this step, your goal is to gain as much understanding about the security weakness as possible and to brainstorm how about it may be exploited. Threat modeling would be very useful exercise to do. Some answers that you would want to know are listed below. This list is by no means exhaustive.



    1. Who are the threat actors that could exploit this vulnerability discovered?

    2. How targeted do you believe the threat actors are - I.e: Are they aiming specifically for your company?

    3. What are the pre - conditions necessary for this vulnerability to be exploited?

    4. What adverse impact could result, assuming the vulnerability is exploited? - I.e: what is the inherent security risk? E.g: sensitive data exfiltration


    Rank the severity of the vulnerability using a accepted metric such as MITRE CVSS score




    Use well known and accepted sources of information for vulnerability ranking and management to increase your authority when presenting to the product manager.




    Evaluate security controls currently present to mitigate likelihood of vulnerability being exploited or impact if exploited




    Now that you have a good idea of the inherent security risk by evaluating both likelihood and adverse impact of exploitation, you analyze the current security controls and their effectiveness. I am not sure of your role or whether your company has a IT Security function, but work with them to understand what security processes are currently in place. Security controls is a broad term but in general includes detective, administrative, corrective, and preventative controls.




    Establish reasonable residual risk ranking using accepted sources and methodology




    Your goal in this step is to arrive at a reasonable ranking for residual risk - the risk remaining (business risk, data risk etc.) after application of in - place security controls. In other words, quantity the value of the in-place security controls. A source I have found useful when performing this step is NIST publication SP-800 30 Revision 1.




    Translate analysis into business value




    From the message the product owner gave you, it seems he is unsure / reluctant to proceed. It is important that you be able to translate the impact of the vulnerability into monetary terms - loss of current revenue, loss of prospective revenue due to customer attrition as a result of reputational damage in case of vulnerability exploitation etc. Assuming the product owner is rational, cares about the product, and is concerned about negative effect on customers, he / she should approve appropriate action such as to update the software.



    It is also important to note that one form of management response is to accept the risk. Management may decide that remediation of the vulnerability is too costly relative to its likelihood of exploitation / impact of exploitation. While this may not be what you prefer, it is a valid approach nonetheless.




    Use past examples to illustrate what the consequences are for inadequate attention to cybersecurity




    Past incidents provide concrete evidence that shoddy / inadequate cybersecurity have are real and have a business cost. Money is the language of business and lost money will usually catch management's attention.




    Work with your security folks (if your company has such a team) or do some own research on your own to determine needs to be done to remediate vulnerability.




    The product manager has basically asked you for a proposed solution. It would look real good if you did some research, drafted a planned remediation plan, and analyzed costs to help the product manager. Help him / her to help you. You always want to present a solution, when faced with a obstacle in your work.






    share|improve this answer



























      Your Answer








      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "423"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      noCode: true, onDemand: false,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













      draft saved

      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f124791%2fproduct-manager-doesn-t-care-about-cybersecurity%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown




















      StackExchange.ready(function ()
      $("#show-editor-button input, #show-editor-button button").click(function ()
      var showEditor = function()
      $("#show-editor-button").hide();
      $("#post-form").removeClass("dno");
      StackExchange.editor.finallyInit();
      ;

      var useFancy = $(this).data('confirm-use-fancy');
      if(useFancy == 'True')
      var popupTitle = $(this).data('confirm-fancy-title');
      var popupBody = $(this).data('confirm-fancy-body');
      var popupAccept = $(this).data('confirm-fancy-accept-button');

      $(this).loadPopup(
      url: '/post/self-answer-popup',
      loaded: function(popup)
      var pTitle = $(popup).find('h2');
      var pBody = $(popup).find('.popup-body');
      var pSubmit = $(popup).find('.popup-submit');

      pTitle.text(popupTitle);
      pBody.html(popupBody);
      pSubmit.val(popupAccept).click(showEditor);

      )
      else
      var confirmText = $(this).data('confirm-text');
      if (confirmText ? confirm(confirmText) : true)
      showEditor();


      );
      );






      4 Answers
      4






      active

      oldest

      votes








      4 Answers
      4






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      14














      Don't in general go to managers with problems unless you also have a solution.



      "This is no longer supported and is buggy" is less useful then "this is no longer supported and is buggy, but I have had a look and cooking up a patch to fix the library will take X days, replacing the library with a more modern one Y days (but then we won't have to keep patching), and doing nothing costs nothing but exposes us to the risks A, B & C, which option would you like me to do?".



      Try very hard to never go to manglement with a problem without also offering solutions, it is mostly pointless.



      Regards, Dan.






      share|improve this answer


















      • 1





        Also, you will have to get much more specific than "this software is vulnerable". To what? Is that risk mitigated in other ways? Could other mitigation be added? Any other options you can think of other than replacing the whole thing?

        – Peter
        Dec 16 '18 at 1:35






      • 14





        I find this advice "don't go to your manager with problems if you don't have the solution" quite ridiculous. I am quite capable of finding problems that I have no idea how to fix. Not telling my boss about them would be absolutely irresponsible. Maybe I have had the luck to always work with managers who are not morons who'd rather not hear about problems.

        – gnasher729
        Dec 16 '18 at 15:50







      • 1





        @gnasher729 maybe its just because I do engineering at a reasonably senior level, but even if the solution is "We don't have the in house skills to solve this, but we can use so and so as a consultant", I would always try to offer a fix. Of course going to management to give information "project foobar is running late because..." or to seek information about priorities "We don't have the resources to ship both the projects on time because... Which one should be prioritised?" are entirely valid. Information is good, information with some actionable choices is better.

        – Dan Mills
        Dec 16 '18 at 16:19











      • One potential solution would be to have the manager add the issue to the product or companies risk register (if there is no risk register, this should be on the risk register as well). If you have a Risk&Assurance person floating around, you could mention it to them as well.

        – Jamie
        Dec 18 '18 at 0:45






      • 2





        @Walfrat I am guessing you run with a different set of developers or a very different culture, because if my management tried that on our dev shop they would find that they didn't have a dev team remarkably quickly. We poke, we prod, we hack, its what we do, and actually if you use libraries in your code the time taken to really understand how they work is generally WELL spent (How else will you know where the odd corner cases are likely to be hiding, much better to find those while playing then when on a deadline).

        – Dan Mills
        Dec 18 '18 at 19:47















      14














      Don't in general go to managers with problems unless you also have a solution.



      "This is no longer supported and is buggy" is less useful then "this is no longer supported and is buggy, but I have had a look and cooking up a patch to fix the library will take X days, replacing the library with a more modern one Y days (but then we won't have to keep patching), and doing nothing costs nothing but exposes us to the risks A, B & C, which option would you like me to do?".



      Try very hard to never go to manglement with a problem without also offering solutions, it is mostly pointless.



      Regards, Dan.






      share|improve this answer


















      • 1





        Also, you will have to get much more specific than "this software is vulnerable". To what? Is that risk mitigated in other ways? Could other mitigation be added? Any other options you can think of other than replacing the whole thing?

        – Peter
        Dec 16 '18 at 1:35






      • 14





        I find this advice "don't go to your manager with problems if you don't have the solution" quite ridiculous. I am quite capable of finding problems that I have no idea how to fix. Not telling my boss about them would be absolutely irresponsible. Maybe I have had the luck to always work with managers who are not morons who'd rather not hear about problems.

        – gnasher729
        Dec 16 '18 at 15:50







      • 1





        @gnasher729 maybe its just because I do engineering at a reasonably senior level, but even if the solution is "We don't have the in house skills to solve this, but we can use so and so as a consultant", I would always try to offer a fix. Of course going to management to give information "project foobar is running late because..." or to seek information about priorities "We don't have the resources to ship both the projects on time because... Which one should be prioritised?" are entirely valid. Information is good, information with some actionable choices is better.

        – Dan Mills
        Dec 16 '18 at 16:19











      • One potential solution would be to have the manager add the issue to the product or companies risk register (if there is no risk register, this should be on the risk register as well). If you have a Risk&Assurance person floating around, you could mention it to them as well.

        – Jamie
        Dec 18 '18 at 0:45






      • 2





        @Walfrat I am guessing you run with a different set of developers or a very different culture, because if my management tried that on our dev shop they would find that they didn't have a dev team remarkably quickly. We poke, we prod, we hack, its what we do, and actually if you use libraries in your code the time taken to really understand how they work is generally WELL spent (How else will you know where the odd corner cases are likely to be hiding, much better to find those while playing then when on a deadline).

        – Dan Mills
        Dec 18 '18 at 19:47













      14












      14








      14







      Don't in general go to managers with problems unless you also have a solution.



      "This is no longer supported and is buggy" is less useful then "this is no longer supported and is buggy, but I have had a look and cooking up a patch to fix the library will take X days, replacing the library with a more modern one Y days (but then we won't have to keep patching), and doing nothing costs nothing but exposes us to the risks A, B & C, which option would you like me to do?".



      Try very hard to never go to manglement with a problem without also offering solutions, it is mostly pointless.



      Regards, Dan.






      share|improve this answer













      Don't in general go to managers with problems unless you also have a solution.



      "This is no longer supported and is buggy" is less useful then "this is no longer supported and is buggy, but I have had a look and cooking up a patch to fix the library will take X days, replacing the library with a more modern one Y days (but then we won't have to keep patching), and doing nothing costs nothing but exposes us to the risks A, B & C, which option would you like me to do?".



      Try very hard to never go to manglement with a problem without also offering solutions, it is mostly pointless.



      Regards, Dan.







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered Dec 16 '18 at 1:03









      Dan MillsDan Mills

      4203 silver badges4 bronze badges




      4203 silver badges4 bronze badges







      • 1





        Also, you will have to get much more specific than "this software is vulnerable". To what? Is that risk mitigated in other ways? Could other mitigation be added? Any other options you can think of other than replacing the whole thing?

        – Peter
        Dec 16 '18 at 1:35






      • 14





        I find this advice "don't go to your manager with problems if you don't have the solution" quite ridiculous. I am quite capable of finding problems that I have no idea how to fix. Not telling my boss about them would be absolutely irresponsible. Maybe I have had the luck to always work with managers who are not morons who'd rather not hear about problems.

        – gnasher729
        Dec 16 '18 at 15:50







      • 1





        @gnasher729 maybe its just because I do engineering at a reasonably senior level, but even if the solution is "We don't have the in house skills to solve this, but we can use so and so as a consultant", I would always try to offer a fix. Of course going to management to give information "project foobar is running late because..." or to seek information about priorities "We don't have the resources to ship both the projects on time because... Which one should be prioritised?" are entirely valid. Information is good, information with some actionable choices is better.

        – Dan Mills
        Dec 16 '18 at 16:19











      • One potential solution would be to have the manager add the issue to the product or companies risk register (if there is no risk register, this should be on the risk register as well). If you have a Risk&Assurance person floating around, you could mention it to them as well.

        – Jamie
        Dec 18 '18 at 0:45






      • 2





        @Walfrat I am guessing you run with a different set of developers or a very different culture, because if my management tried that on our dev shop they would find that they didn't have a dev team remarkably quickly. We poke, we prod, we hack, its what we do, and actually if you use libraries in your code the time taken to really understand how they work is generally WELL spent (How else will you know where the odd corner cases are likely to be hiding, much better to find those while playing then when on a deadline).

        – Dan Mills
        Dec 18 '18 at 19:47












      • 1





        Also, you will have to get much more specific than "this software is vulnerable". To what? Is that risk mitigated in other ways? Could other mitigation be added? Any other options you can think of other than replacing the whole thing?

        – Peter
        Dec 16 '18 at 1:35






      • 14





        I find this advice "don't go to your manager with problems if you don't have the solution" quite ridiculous. I am quite capable of finding problems that I have no idea how to fix. Not telling my boss about them would be absolutely irresponsible. Maybe I have had the luck to always work with managers who are not morons who'd rather not hear about problems.

        – gnasher729
        Dec 16 '18 at 15:50







      • 1





        @gnasher729 maybe its just because I do engineering at a reasonably senior level, but even if the solution is "We don't have the in house skills to solve this, but we can use so and so as a consultant", I would always try to offer a fix. Of course going to management to give information "project foobar is running late because..." or to seek information about priorities "We don't have the resources to ship both the projects on time because... Which one should be prioritised?" are entirely valid. Information is good, information with some actionable choices is better.

        – Dan Mills
        Dec 16 '18 at 16:19











      • One potential solution would be to have the manager add the issue to the product or companies risk register (if there is no risk register, this should be on the risk register as well). If you have a Risk&Assurance person floating around, you could mention it to them as well.

        – Jamie
        Dec 18 '18 at 0:45






      • 2





        @Walfrat I am guessing you run with a different set of developers or a very different culture, because if my management tried that on our dev shop they would find that they didn't have a dev team remarkably quickly. We poke, we prod, we hack, its what we do, and actually if you use libraries in your code the time taken to really understand how they work is generally WELL spent (How else will you know where the odd corner cases are likely to be hiding, much better to find those while playing then when on a deadline).

        – Dan Mills
        Dec 18 '18 at 19:47







      1




      1





      Also, you will have to get much more specific than "this software is vulnerable". To what? Is that risk mitigated in other ways? Could other mitigation be added? Any other options you can think of other than replacing the whole thing?

      – Peter
      Dec 16 '18 at 1:35





      Also, you will have to get much more specific than "this software is vulnerable". To what? Is that risk mitigated in other ways? Could other mitigation be added? Any other options you can think of other than replacing the whole thing?

      – Peter
      Dec 16 '18 at 1:35




      14




      14





      I find this advice "don't go to your manager with problems if you don't have the solution" quite ridiculous. I am quite capable of finding problems that I have no idea how to fix. Not telling my boss about them would be absolutely irresponsible. Maybe I have had the luck to always work with managers who are not morons who'd rather not hear about problems.

      – gnasher729
      Dec 16 '18 at 15:50






      I find this advice "don't go to your manager with problems if you don't have the solution" quite ridiculous. I am quite capable of finding problems that I have no idea how to fix. Not telling my boss about them would be absolutely irresponsible. Maybe I have had the luck to always work with managers who are not morons who'd rather not hear about problems.

      – gnasher729
      Dec 16 '18 at 15:50





      1




      1





      @gnasher729 maybe its just because I do engineering at a reasonably senior level, but even if the solution is "We don't have the in house skills to solve this, but we can use so and so as a consultant", I would always try to offer a fix. Of course going to management to give information "project foobar is running late because..." or to seek information about priorities "We don't have the resources to ship both the projects on time because... Which one should be prioritised?" are entirely valid. Information is good, information with some actionable choices is better.

      – Dan Mills
      Dec 16 '18 at 16:19





      @gnasher729 maybe its just because I do engineering at a reasonably senior level, but even if the solution is "We don't have the in house skills to solve this, but we can use so and so as a consultant", I would always try to offer a fix. Of course going to management to give information "project foobar is running late because..." or to seek information about priorities "We don't have the resources to ship both the projects on time because... Which one should be prioritised?" are entirely valid. Information is good, information with some actionable choices is better.

      – Dan Mills
      Dec 16 '18 at 16:19













      One potential solution would be to have the manager add the issue to the product or companies risk register (if there is no risk register, this should be on the risk register as well). If you have a Risk&Assurance person floating around, you could mention it to them as well.

      – Jamie
      Dec 18 '18 at 0:45





      One potential solution would be to have the manager add the issue to the product or companies risk register (if there is no risk register, this should be on the risk register as well). If you have a Risk&Assurance person floating around, you could mention it to them as well.

      – Jamie
      Dec 18 '18 at 0:45




      2




      2





      @Walfrat I am guessing you run with a different set of developers or a very different culture, because if my management tried that on our dev shop they would find that they didn't have a dev team remarkably quickly. We poke, we prod, we hack, its what we do, and actually if you use libraries in your code the time taken to really understand how they work is generally WELL spent (How else will you know where the odd corner cases are likely to be hiding, much better to find those while playing then when on a deadline).

      – Dan Mills
      Dec 18 '18 at 19:47





      @Walfrat I am guessing you run with a different set of developers or a very different culture, because if my management tried that on our dev shop they would find that they didn't have a dev team remarkably quickly. We poke, we prod, we hack, its what we do, and actually if you use libraries in your code the time taken to really understand how they work is generally WELL spent (How else will you know where the odd corner cases are likely to be hiding, much better to find those while playing then when on a deadline).

      – Dan Mills
      Dec 18 '18 at 19:47













      9














      Be honest. Tell your manager that you don’t expect him to do anything, you just want to be able to honestly say that you informed your superior about this issue on a regular basis in the event that using the product as-is results in a breach of some sort. That you understand that it’s not your job to do cost/benefit analysis for fixing, switching or ignoring the issue, but you do feel it is your job to keep management informed of such issues as they become apparent to you.



      This probably won’t endear you to your manager...






      share|improve this answer



























        9














        Be honest. Tell your manager that you don’t expect him to do anything, you just want to be able to honestly say that you informed your superior about this issue on a regular basis in the event that using the product as-is results in a breach of some sort. That you understand that it’s not your job to do cost/benefit analysis for fixing, switching or ignoring the issue, but you do feel it is your job to keep management informed of such issues as they become apparent to you.



        This probably won’t endear you to your manager...






        share|improve this answer

























          9












          9








          9







          Be honest. Tell your manager that you don’t expect him to do anything, you just want to be able to honestly say that you informed your superior about this issue on a regular basis in the event that using the product as-is results in a breach of some sort. That you understand that it’s not your job to do cost/benefit analysis for fixing, switching or ignoring the issue, but you do feel it is your job to keep management informed of such issues as they become apparent to you.



          This probably won’t endear you to your manager...






          share|improve this answer













          Be honest. Tell your manager that you don’t expect him to do anything, you just want to be able to honestly say that you informed your superior about this issue on a regular basis in the event that using the product as-is results in a breach of some sort. That you understand that it’s not your job to do cost/benefit analysis for fixing, switching or ignoring the issue, but you do feel it is your job to keep management informed of such issues as they become apparent to you.



          This probably won’t endear you to your manager...







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Dec 16 '18 at 18:06









          jmorenojmoreno

          8,67821 silver badges45 bronze badges




          8,67821 silver badges45 bronze badges





















              7














              Assess the vulnerability and the cost of implementing fixes or workarounds.



              You say that this is an open-source projects that is no longer maintained. You can therefore:



              • Check to see if a maintained fork exists. A 'fork' is where someone took the original code and maintains/updates it as a seperate product.


              • Create a fork and address the security concerns yourself as a company. Bear in mind that if the original code was licensed under the GPL (any version or derivative), you legally cannot keep the code in-house if the software package is being distributed outside of your company.


              I would do number one first, then entertain number two. Either way, you have a solution you can give to your project manager.






              share|improve this answer























              • I disagree, doing that require time, time in job means money, money that, unless you're in R&D is not meant to do that but to develops. For me the first step is first to raise an issue, if the one handling it don't want you do take time to even perform an analysis, it's their choice, their responsability.

                – Walfrat
                Dec 18 '18 at 12:40











              • @Walfrat "I disagree, doing that require time, time in job means money" and I can guarantee you that having your software hacked with known vulnerabilities to the point where just using your product puts users or their assets in danger costs quite a bit more. "For me the first step is first to raise an issue" The open source package is unmaintained; there is no one to raise the issue to. If you are talking about the product manager, the product manager is asking OP for a solution.

                – 520
                Dec 19 '18 at 18:48












              • I agree, the OP made a good choice, now their manager should decide if he wants to spend time to have OP look for a solution now, later, or drop the problem. The OP could eventually have more information like how long will it take for him to assess the vulnerability. You answer is good I just think it miss that one step.

                – Walfrat
                Dec 20 '18 at 10:27















              7














              Assess the vulnerability and the cost of implementing fixes or workarounds.



              You say that this is an open-source projects that is no longer maintained. You can therefore:



              • Check to see if a maintained fork exists. A 'fork' is where someone took the original code and maintains/updates it as a seperate product.


              • Create a fork and address the security concerns yourself as a company. Bear in mind that if the original code was licensed under the GPL (any version or derivative), you legally cannot keep the code in-house if the software package is being distributed outside of your company.


              I would do number one first, then entertain number two. Either way, you have a solution you can give to your project manager.






              share|improve this answer























              • I disagree, doing that require time, time in job means money, money that, unless you're in R&D is not meant to do that but to develops. For me the first step is first to raise an issue, if the one handling it don't want you do take time to even perform an analysis, it's their choice, their responsability.

                – Walfrat
                Dec 18 '18 at 12:40











              • @Walfrat "I disagree, doing that require time, time in job means money" and I can guarantee you that having your software hacked with known vulnerabilities to the point where just using your product puts users or their assets in danger costs quite a bit more. "For me the first step is first to raise an issue" The open source package is unmaintained; there is no one to raise the issue to. If you are talking about the product manager, the product manager is asking OP for a solution.

                – 520
                Dec 19 '18 at 18:48












              • I agree, the OP made a good choice, now their manager should decide if he wants to spend time to have OP look for a solution now, later, or drop the problem. The OP could eventually have more information like how long will it take for him to assess the vulnerability. You answer is good I just think it miss that one step.

                – Walfrat
                Dec 20 '18 at 10:27













              7












              7








              7







              Assess the vulnerability and the cost of implementing fixes or workarounds.



              You say that this is an open-source projects that is no longer maintained. You can therefore:



              • Check to see if a maintained fork exists. A 'fork' is where someone took the original code and maintains/updates it as a seperate product.


              • Create a fork and address the security concerns yourself as a company. Bear in mind that if the original code was licensed under the GPL (any version or derivative), you legally cannot keep the code in-house if the software package is being distributed outside of your company.


              I would do number one first, then entertain number two. Either way, you have a solution you can give to your project manager.






              share|improve this answer













              Assess the vulnerability and the cost of implementing fixes or workarounds.



              You say that this is an open-source projects that is no longer maintained. You can therefore:



              • Check to see if a maintained fork exists. A 'fork' is where someone took the original code and maintains/updates it as a seperate product.


              • Create a fork and address the security concerns yourself as a company. Bear in mind that if the original code was licensed under the GPL (any version or derivative), you legally cannot keep the code in-house if the software package is being distributed outside of your company.


              I would do number one first, then entertain number two. Either way, you have a solution you can give to your project manager.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered Dec 16 '18 at 10:32









              520520

              5,7108 silver badges30 bronze badges




              5,7108 silver badges30 bronze badges












              • I disagree, doing that require time, time in job means money, money that, unless you're in R&D is not meant to do that but to develops. For me the first step is first to raise an issue, if the one handling it don't want you do take time to even perform an analysis, it's their choice, their responsability.

                – Walfrat
                Dec 18 '18 at 12:40











              • @Walfrat "I disagree, doing that require time, time in job means money" and I can guarantee you that having your software hacked with known vulnerabilities to the point where just using your product puts users or their assets in danger costs quite a bit more. "For me the first step is first to raise an issue" The open source package is unmaintained; there is no one to raise the issue to. If you are talking about the product manager, the product manager is asking OP for a solution.

                – 520
                Dec 19 '18 at 18:48












              • I agree, the OP made a good choice, now their manager should decide if he wants to spend time to have OP look for a solution now, later, or drop the problem. The OP could eventually have more information like how long will it take for him to assess the vulnerability. You answer is good I just think it miss that one step.

                – Walfrat
                Dec 20 '18 at 10:27

















              • I disagree, doing that require time, time in job means money, money that, unless you're in R&D is not meant to do that but to develops. For me the first step is first to raise an issue, if the one handling it don't want you do take time to even perform an analysis, it's their choice, their responsability.

                – Walfrat
                Dec 18 '18 at 12:40











              • @Walfrat "I disagree, doing that require time, time in job means money" and I can guarantee you that having your software hacked with known vulnerabilities to the point where just using your product puts users or their assets in danger costs quite a bit more. "For me the first step is first to raise an issue" The open source package is unmaintained; there is no one to raise the issue to. If you are talking about the product manager, the product manager is asking OP for a solution.

                – 520
                Dec 19 '18 at 18:48












              • I agree, the OP made a good choice, now their manager should decide if he wants to spend time to have OP look for a solution now, later, or drop the problem. The OP could eventually have more information like how long will it take for him to assess the vulnerability. You answer is good I just think it miss that one step.

                – Walfrat
                Dec 20 '18 at 10:27
















              I disagree, doing that require time, time in job means money, money that, unless you're in R&D is not meant to do that but to develops. For me the first step is first to raise an issue, if the one handling it don't want you do take time to even perform an analysis, it's their choice, their responsability.

              – Walfrat
              Dec 18 '18 at 12:40





              I disagree, doing that require time, time in job means money, money that, unless you're in R&D is not meant to do that but to develops. For me the first step is first to raise an issue, if the one handling it don't want you do take time to even perform an analysis, it's their choice, their responsability.

              – Walfrat
              Dec 18 '18 at 12:40













              @Walfrat "I disagree, doing that require time, time in job means money" and I can guarantee you that having your software hacked with known vulnerabilities to the point where just using your product puts users or their assets in danger costs quite a bit more. "For me the first step is first to raise an issue" The open source package is unmaintained; there is no one to raise the issue to. If you are talking about the product manager, the product manager is asking OP for a solution.

              – 520
              Dec 19 '18 at 18:48






              @Walfrat "I disagree, doing that require time, time in job means money" and I can guarantee you that having your software hacked with known vulnerabilities to the point where just using your product puts users or their assets in danger costs quite a bit more. "For me the first step is first to raise an issue" The open source package is unmaintained; there is no one to raise the issue to. If you are talking about the product manager, the product manager is asking OP for a solution.

              – 520
              Dec 19 '18 at 18:48














              I agree, the OP made a good choice, now their manager should decide if he wants to spend time to have OP look for a solution now, later, or drop the problem. The OP could eventually have more information like how long will it take for him to assess the vulnerability. You answer is good I just think it miss that one step.

              – Walfrat
              Dec 20 '18 at 10:27





              I agree, the OP made a good choice, now their manager should decide if he wants to spend time to have OP look for a solution now, later, or drop the problem. The OP could eventually have more information like how long will it take for him to assess the vulnerability. You answer is good I just think it miss that one step.

              – Walfrat
              Dec 20 '18 at 10:27











              2














              I currently work as an analyst on the IT security team at my company, formerly having transferred as an security auditor. I will provide a framework that I think you can use, and for which I have used on numerous occasions with success in my current role.




              Analyze the vulnerability found




              Your first task prior to escalation should be to analyze the vulnerability. In this step, your goal is to gain as much understanding about the security weakness as possible and to brainstorm how about it may be exploited. Threat modeling would be very useful exercise to do. Some answers that you would want to know are listed below. This list is by no means exhaustive.



              1. Who are the threat actors that could exploit this vulnerability discovered?

              2. How targeted do you believe the threat actors are - I.e: Are they aiming specifically for your company?

              3. What are the pre - conditions necessary for this vulnerability to be exploited?

              4. What adverse impact could result, assuming the vulnerability is exploited? - I.e: what is the inherent security risk? E.g: sensitive data exfiltration


              Rank the severity of the vulnerability using a accepted metric such as MITRE CVSS score




              Use well known and accepted sources of information for vulnerability ranking and management to increase your authority when presenting to the product manager.




              Evaluate security controls currently present to mitigate likelihood of vulnerability being exploited or impact if exploited




              Now that you have a good idea of the inherent security risk by evaluating both likelihood and adverse impact of exploitation, you analyze the current security controls and their effectiveness. I am not sure of your role or whether your company has a IT Security function, but work with them to understand what security processes are currently in place. Security controls is a broad term but in general includes detective, administrative, corrective, and preventative controls.




              Establish reasonable residual risk ranking using accepted sources and methodology




              Your goal in this step is to arrive at a reasonable ranking for residual risk - the risk remaining (business risk, data risk etc.) after application of in - place security controls. In other words, quantity the value of the in-place security controls. A source I have found useful when performing this step is NIST publication SP-800 30 Revision 1.




              Translate analysis into business value




              From the message the product owner gave you, it seems he is unsure / reluctant to proceed. It is important that you be able to translate the impact of the vulnerability into monetary terms - loss of current revenue, loss of prospective revenue due to customer attrition as a result of reputational damage in case of vulnerability exploitation etc. Assuming the product owner is rational, cares about the product, and is concerned about negative effect on customers, he / she should approve appropriate action such as to update the software.



              It is also important to note that one form of management response is to accept the risk. Management may decide that remediation of the vulnerability is too costly relative to its likelihood of exploitation / impact of exploitation. While this may not be what you prefer, it is a valid approach nonetheless.




              Use past examples to illustrate what the consequences are for inadequate attention to cybersecurity




              Past incidents provide concrete evidence that shoddy / inadequate cybersecurity have are real and have a business cost. Money is the language of business and lost money will usually catch management's attention.




              Work with your security folks (if your company has such a team) or do some own research on your own to determine needs to be done to remediate vulnerability.




              The product manager has basically asked you for a proposed solution. It would look real good if you did some research, drafted a planned remediation plan, and analyzed costs to help the product manager. Help him / her to help you. You always want to present a solution, when faced with a obstacle in your work.






              share|improve this answer





























                2














                I currently work as an analyst on the IT security team at my company, formerly having transferred as an security auditor. I will provide a framework that I think you can use, and for which I have used on numerous occasions with success in my current role.




                Analyze the vulnerability found




                Your first task prior to escalation should be to analyze the vulnerability. In this step, your goal is to gain as much understanding about the security weakness as possible and to brainstorm how about it may be exploited. Threat modeling would be very useful exercise to do. Some answers that you would want to know are listed below. This list is by no means exhaustive.



                1. Who are the threat actors that could exploit this vulnerability discovered?

                2. How targeted do you believe the threat actors are - I.e: Are they aiming specifically for your company?

                3. What are the pre - conditions necessary for this vulnerability to be exploited?

                4. What adverse impact could result, assuming the vulnerability is exploited? - I.e: what is the inherent security risk? E.g: sensitive data exfiltration


                Rank the severity of the vulnerability using a accepted metric such as MITRE CVSS score




                Use well known and accepted sources of information for vulnerability ranking and management to increase your authority when presenting to the product manager.




                Evaluate security controls currently present to mitigate likelihood of vulnerability being exploited or impact if exploited




                Now that you have a good idea of the inherent security risk by evaluating both likelihood and adverse impact of exploitation, you analyze the current security controls and their effectiveness. I am not sure of your role or whether your company has a IT Security function, but work with them to understand what security processes are currently in place. Security controls is a broad term but in general includes detective, administrative, corrective, and preventative controls.




                Establish reasonable residual risk ranking using accepted sources and methodology




                Your goal in this step is to arrive at a reasonable ranking for residual risk - the risk remaining (business risk, data risk etc.) after application of in - place security controls. In other words, quantity the value of the in-place security controls. A source I have found useful when performing this step is NIST publication SP-800 30 Revision 1.




                Translate analysis into business value




                From the message the product owner gave you, it seems he is unsure / reluctant to proceed. It is important that you be able to translate the impact of the vulnerability into monetary terms - loss of current revenue, loss of prospective revenue due to customer attrition as a result of reputational damage in case of vulnerability exploitation etc. Assuming the product owner is rational, cares about the product, and is concerned about negative effect on customers, he / she should approve appropriate action such as to update the software.



                It is also important to note that one form of management response is to accept the risk. Management may decide that remediation of the vulnerability is too costly relative to its likelihood of exploitation / impact of exploitation. While this may not be what you prefer, it is a valid approach nonetheless.




                Use past examples to illustrate what the consequences are for inadequate attention to cybersecurity




                Past incidents provide concrete evidence that shoddy / inadequate cybersecurity have are real and have a business cost. Money is the language of business and lost money will usually catch management's attention.




                Work with your security folks (if your company has such a team) or do some own research on your own to determine needs to be done to remediate vulnerability.




                The product manager has basically asked you for a proposed solution. It would look real good if you did some research, drafted a planned remediation plan, and analyzed costs to help the product manager. Help him / her to help you. You always want to present a solution, when faced with a obstacle in your work.






                share|improve this answer



























                  2












                  2








                  2







                  I currently work as an analyst on the IT security team at my company, formerly having transferred as an security auditor. I will provide a framework that I think you can use, and for which I have used on numerous occasions with success in my current role.




                  Analyze the vulnerability found




                  Your first task prior to escalation should be to analyze the vulnerability. In this step, your goal is to gain as much understanding about the security weakness as possible and to brainstorm how about it may be exploited. Threat modeling would be very useful exercise to do. Some answers that you would want to know are listed below. This list is by no means exhaustive.



                  1. Who are the threat actors that could exploit this vulnerability discovered?

                  2. How targeted do you believe the threat actors are - I.e: Are they aiming specifically for your company?

                  3. What are the pre - conditions necessary for this vulnerability to be exploited?

                  4. What adverse impact could result, assuming the vulnerability is exploited? - I.e: what is the inherent security risk? E.g: sensitive data exfiltration


                  Rank the severity of the vulnerability using a accepted metric such as MITRE CVSS score




                  Use well known and accepted sources of information for vulnerability ranking and management to increase your authority when presenting to the product manager.




                  Evaluate security controls currently present to mitigate likelihood of vulnerability being exploited or impact if exploited




                  Now that you have a good idea of the inherent security risk by evaluating both likelihood and adverse impact of exploitation, you analyze the current security controls and their effectiveness. I am not sure of your role or whether your company has a IT Security function, but work with them to understand what security processes are currently in place. Security controls is a broad term but in general includes detective, administrative, corrective, and preventative controls.




                  Establish reasonable residual risk ranking using accepted sources and methodology




                  Your goal in this step is to arrive at a reasonable ranking for residual risk - the risk remaining (business risk, data risk etc.) after application of in - place security controls. In other words, quantity the value of the in-place security controls. A source I have found useful when performing this step is NIST publication SP-800 30 Revision 1.




                  Translate analysis into business value




                  From the message the product owner gave you, it seems he is unsure / reluctant to proceed. It is important that you be able to translate the impact of the vulnerability into monetary terms - loss of current revenue, loss of prospective revenue due to customer attrition as a result of reputational damage in case of vulnerability exploitation etc. Assuming the product owner is rational, cares about the product, and is concerned about negative effect on customers, he / she should approve appropriate action such as to update the software.



                  It is also important to note that one form of management response is to accept the risk. Management may decide that remediation of the vulnerability is too costly relative to its likelihood of exploitation / impact of exploitation. While this may not be what you prefer, it is a valid approach nonetheless.




                  Use past examples to illustrate what the consequences are for inadequate attention to cybersecurity




                  Past incidents provide concrete evidence that shoddy / inadequate cybersecurity have are real and have a business cost. Money is the language of business and lost money will usually catch management's attention.




                  Work with your security folks (if your company has such a team) or do some own research on your own to determine needs to be done to remediate vulnerability.




                  The product manager has basically asked you for a proposed solution. It would look real good if you did some research, drafted a planned remediation plan, and analyzed costs to help the product manager. Help him / her to help you. You always want to present a solution, when faced with a obstacle in your work.






                  share|improve this answer















                  I currently work as an analyst on the IT security team at my company, formerly having transferred as an security auditor. I will provide a framework that I think you can use, and for which I have used on numerous occasions with success in my current role.




                  Analyze the vulnerability found




                  Your first task prior to escalation should be to analyze the vulnerability. In this step, your goal is to gain as much understanding about the security weakness as possible and to brainstorm how about it may be exploited. Threat modeling would be very useful exercise to do. Some answers that you would want to know are listed below. This list is by no means exhaustive.



                  1. Who are the threat actors that could exploit this vulnerability discovered?

                  2. How targeted do you believe the threat actors are - I.e: Are they aiming specifically for your company?

                  3. What are the pre - conditions necessary for this vulnerability to be exploited?

                  4. What adverse impact could result, assuming the vulnerability is exploited? - I.e: what is the inherent security risk? E.g: sensitive data exfiltration


                  Rank the severity of the vulnerability using a accepted metric such as MITRE CVSS score




                  Use well known and accepted sources of information for vulnerability ranking and management to increase your authority when presenting to the product manager.




                  Evaluate security controls currently present to mitigate likelihood of vulnerability being exploited or impact if exploited




                  Now that you have a good idea of the inherent security risk by evaluating both likelihood and adverse impact of exploitation, you analyze the current security controls and their effectiveness. I am not sure of your role or whether your company has a IT Security function, but work with them to understand what security processes are currently in place. Security controls is a broad term but in general includes detective, administrative, corrective, and preventative controls.




                  Establish reasonable residual risk ranking using accepted sources and methodology




                  Your goal in this step is to arrive at a reasonable ranking for residual risk - the risk remaining (business risk, data risk etc.) after application of in - place security controls. In other words, quantity the value of the in-place security controls. A source I have found useful when performing this step is NIST publication SP-800 30 Revision 1.




                  Translate analysis into business value




                  From the message the product owner gave you, it seems he is unsure / reluctant to proceed. It is important that you be able to translate the impact of the vulnerability into monetary terms - loss of current revenue, loss of prospective revenue due to customer attrition as a result of reputational damage in case of vulnerability exploitation etc. Assuming the product owner is rational, cares about the product, and is concerned about negative effect on customers, he / she should approve appropriate action such as to update the software.



                  It is also important to note that one form of management response is to accept the risk. Management may decide that remediation of the vulnerability is too costly relative to its likelihood of exploitation / impact of exploitation. While this may not be what you prefer, it is a valid approach nonetheless.




                  Use past examples to illustrate what the consequences are for inadequate attention to cybersecurity




                  Past incidents provide concrete evidence that shoddy / inadequate cybersecurity have are real and have a business cost. Money is the language of business and lost money will usually catch management's attention.




                  Work with your security folks (if your company has such a team) or do some own research on your own to determine needs to be done to remediate vulnerability.




                  The product manager has basically asked you for a proposed solution. It would look real good if you did some research, drafted a planned remediation plan, and analyzed costs to help the product manager. Help him / her to help you. You always want to present a solution, when faced with a obstacle in your work.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited 19 mins ago

























                  answered Dec 18 '18 at 1:43









                  AnthonyAnthony

                  6,26916 silver badges62 bronze badges




                  6,26916 silver badges62 bronze badges



























                      draft saved

                      draft discarded
















































                      Thanks for contributing an answer to The Workplace Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid


                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.

                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f124791%2fproduct-manager-doesn-t-care-about-cybersecurity%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown











                      Popular posts from this blog

                      Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

                      Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

                      199年 目錄 大件事 到箇年出世嗰人 到箇年死嗰人 節慶、風俗習慣 導覽選單