Security Basics mailing list archives
Re: application for an employment
From: Don Bailey <don.bailey () gmail com>
Date: Wed, 22 Mar 2006 13:36:27 -0700
It's a sad thing that the overwhelming majority of respondents to this question advise Matthias against informing his prospective employer of the security problems he's observed in his employer's network. As a practical matter I guess they are correct. He's more likely to be shown the door (if not actually prosecuted) than to be admired for his technical skill and initiative, should he reveal his discoveries.But the fact that this is true does not in any way make it right, and it makes me sad and angry that these attitudes and policies, born of ignorance and paranoia, are now becoming codified as standards of ethics and professionalism.
Let's forget about the word "ethics" for the moment, since more often than not discussions on "ethics" are skewed based on the character of those involved in the discussion. Let's focus, instead, on the actual goal of a company or university. When hiring an employee, the generic goal of that employee is to help facilitate the survival of his or her employer. The goal of this entity is solely survival in order to pursue some eventual goal. Now, when accepting an employee for placement into a job, are you going to consider their character? Absolutely. Their actions define how they perceive your institution. If their actions are proving to be more directed towards fulfilling their own selfish goals of proving skills rather than respecting the privacy of the institution, are you going to hire them? To hire someone without the ability to constrain themselves against unauthorized activity is foolish. More often than not these are the kinds of people that will speak about their findings to others outside the institution because they believe the discussion is of some intellectual merit. Rather, they're risking the institution's security by discussion information with people that have no right to know such information. Forget "ethics", it's all about doing what is necessary to pursue the survival of a given institution so their long term goals may be achieved. *That* should guide your best practices. Don "north" Bailey --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- application for an employment Matthias Güntert (Mar 20)
- Re: application for an employment Saqib Ali (Mar 21)
- Re: application for an employment Don Bailey (Mar 21)
- Re: application for an employment ilaiy (Mar 21)
- Re: application for an employment William Starling (Mar 21)
- Re: application for an employment PCSC Information Services (Mar 21)
- Re: application for an employment ilaiy (Mar 22)
- Re: application for an employment Christian Lerrahn (Mar 24)
- Re: application for an employment Kurt Reimer (Mar 22)
- Re: application for an employment PCSC Information Services (Mar 22)
- Re: application for an employment Don Bailey (Mar 24)
- Re: application for an employment Raoul Armfield (Mar 24)
- RE: application for an employment Michael J. Benedetto (Mar 24)
- Re: application for an employment Kurt Reimer (Mar 24)
- Re: application for an employment ilaiy (Mar 22)
- Re: application for an employment Hans Meier (John Doe) (Mar 31)
- <Possible follow-ups>
- RE: application for an employment Steveb (Mar 21)
- RE: application for an employment Al Gettier (Mar 21)
- Re: application for an employment L G (Mar 24)
- RE: application for an employment Lalit Gupta (Mar 22)
- RE: application for an employment Sadler, Connie (Mar 22)
- Re: FW: application for an employment Matthias Güntert (Mar 22)
(Thread continues...)
- Re: application for an employment Saqib Ali (Mar 21)