RE: security not a big priority?

["David Gillett" <gillettdavid () fhda edu>]

> So I have a problem and like to know what you guys think.
> I'm a Security Analyst at an Education institute. A community 
> college to be more precise.

  Same here -- except that *for now*, my job title says "Network
Engineer".

> So I was brought on board to address security issues and work 
> on making this place a better place.  Now the problem is.

> 1. I'm in the network operation team.  no security group.

  This is typical of organizations that think of security as
just a technical issue.  So *one* of your challenges is to 
educate at least your management that it's not.  But to the 
extent that it includes technology elements, you're in not too
bad a place to enact them.  See #4.

> 2. My boss doesn't seem to know much about security.

  Do they know about EduCause?  They should be talking to their
peers at other institutions, and learning what they do and why.

> 3. My boss doesn't seem to think highly of security since all 
> my projects seems to be of low priority.

  Might be time to interest someone higher up in bringing in
consultants to do a review.  Believe it or not, managers are
more likely to listen to them than to employees *because*
they're expensive -- even when they say what employees have
been trying to tell them....

> 4. I have a long list of things that needs to be done and 
> they are all waiting for the engineers to work on it. But 
> again they have better things to do.

  Offer to do them.  Interpret placement within the network
team as empowerment to do the work, only consulting the engineers
as necessary.

> So what am I suppose to do? look for another job? :) anyone 
> run into this problem before?

  Where I am, there are three different campus power structures 
to deal with.  There's the org chart, which puts me on the network
team.  There's the "shared governance" system; I volunteer to be
a Senator in order to sit as a representative on the Technology
Advisory Committee, which puts me into a monthly meeting with the
CTO and interested users from various constituency groups.  And
then there's the perennial faculty-versus-staff rivalry, and
what seems to work so far there is to make friends with a few of
the newer/savvier faculty (who one hopes will speak up when one is
being slagged by their colleagues).

  Since you're subscribed here, you may well be subscribed to various
other security mailing lists.  Forward an occasional item to your boss 
(don't average more than about one a week) about the latest data
breach involving an educational institution or vulnerability discovered
in some application that the college uses.  Include a brief note about
whether the same threat would work where you are; one way to look at it is
that your job is to keep your own institution out of those headlines.

David Gillett