Comment Explain yourself (Score 1) 244
Your best bet is to find someone higher up who understands the problem or to whom you can explain the problem.
You eventually need to get to a C-level officer, something like CTO or COO who can actually mandate change. Somehow, in the places that I've worked I've been lucky enough to have CTOs that understand the concept of (and need for) security. They made a lot of changes that made sense to me (passwords must be changed more than once every 3 years, user data must not be stored on local machines, principles of least access, etc.) but other users didn't understand the business need behind them. "Yes, your department could hit all of its goals and produce its reports a day faster if everyone had access to everything, but if you use these rules then you take the extra day and you know it's right because it's auditable!"
Convince them that your business goals will be met faster / more auditably / with less risk if you implement certain policies. Risk is your best friend, although it sounds like your upper-level managers ignore it rather than mitigate it. It's going to take you a while, so get started now. Does your boss understand the problem? If not, can you explain and convince them that you know what you're talking about?
If you can't explain or justify your views on security, either learn some more or find a new job - it's not worth your while or the damage to your reputation from being associated with an insecure company if your title is Senior Security anything.
You eventually need to get to a C-level officer, something like CTO or COO who can actually mandate change. Somehow, in the places that I've worked I've been lucky enough to have CTOs that understand the concept of (and need for) security. They made a lot of changes that made sense to me (passwords must be changed more than once every 3 years, user data must not be stored on local machines, principles of least access, etc.) but other users didn't understand the business need behind them. "Yes, your department could hit all of its goals and produce its reports a day faster if everyone had access to everything, but if you use these rules then you take the extra day and you know it's right because it's auditable!"
Convince them that your business goals will be met faster / more auditably / with less risk if you implement certain policies. Risk is your best friend, although it sounds like your upper-level managers ignore it rather than mitigate it. It's going to take you a while, so get started now. Does your boss understand the problem? If not, can you explain and convince them that you know what you're talking about?
If you can't explain or justify your views on security, either learn some more or find a new job - it's not worth your while or the damage to your reputation from being associated with an insecure company if your title is Senior Security anything.
