Another security figurehead -- what a tragedy

I have talked about security figureheads before and how much it gripes me. It bothers me for a few different reasons. One is because it is wrong when a company puts someone in a postition so the execs can check a box on a list and simultaneously have someone to blame when things go wrong, even when they haven't given that person the resources to do the job. I also rail against it because I have been just such a person, and the sense of impotence was maddening. Yet I had managed to push those old feelings away and actually enjoy my career after I left that job.

Well, now a very good friend of mine has been put in the same position, and all of those feelings came flooding back. I just get enraged when management simply refuses to implement security except for putting someone in a security position and calling it good (BTW, my friend is the security manager, but he answers to the IT Director and got no raise in salary for the promotion - a situation eerily similar to my last job, except I did get a raise). This company is publicly traded, and they are buying other companies left and right, yet they refuse to do any meaningful infrastructure and security upgrades. However, they just recently purchased their third corporate jet. Hmmmm, can you say "priorities"???

Honestly, I have become mature enough in my security career (mostly because of trials by fire) to know that management has to make business decisions that will invariably affect how much I have to split security between capital purchases and creativity. But this situation is not management making that kind of informed and difficult decision. This is simply management making a decision between what it understands (corporate jets) and what it refuses to try to understand (security).

No doubt many are thinking that this friend of mine needs to do a better job of getting people to understand. And to a point, I agree. Many of us are guilty of not trying to explain security to the best of our abilities and simply think management should have better common sense. But at the same time, when you get a promotion and no raise, you have to question the validity of the commitment management is making to security, and you have to think whether or not any words you can put down on PowerPoint or on an executive summary are going to pierce the administrative armor. It doesn't mean you shouldn't try, but it does make you wonder how hard you should try before looking elsewhere.