Re: Re: security not a big priority?

[cwwoods () mindspring com]

Francois,

I have read the entire thread.  Wow.  --- We must be twins.  :-)  I have been experiencing the exact same thing on my 
job.  But more so:

- I was hired for Network Security by individuals it now seems really did not understand the concept.  When I initially 
arrived, the attitude was that I would "secure" whatever project or action was taken.  It took a while to get them to 
understand that I needed to be a proactive, included member of things from inception.

- Not only do I report to a Network Ops manager, this person - who on one hand admits they have no security background 
- sets the agenda for how I go about addressing this area.  There are constant conflicts, up to and including my 
recommendations and opinions sometimes not being heard because they are perceived as unnecessary, unrealistic, or 
obstructing progress.

- I am the only person dedicated to network security.  That is not necessarily a huge issue.  The larger issue is that 
the perception is that I alone should somehow be able to do everything, and I should be able to do everything by 
myself.  The last major virus outbreak we experienced, after a couple of days it became obvious that I could not scan 
EVERY cpu by myself. However, I was turned down when I asked for help (Our helpdesk was allowed to low-priority my CPU 
scan tickets.)  And in the end, management was thoroughly displeased with how the whole incident was handled (took too 
long, users were upset, etc).  Meanwhile, I was a wreck from having worked about 40 hours in a three-day period. ... An 
unwinable situation.

- The entire IT dept is nearly completely reactionary.  We have no CIO, and our IT leader is not seen as an equal by 
the other top-level executives.  Basically, whatever requests or whims other departments want, we wind up trying to 
accommodate.  Even if the wishes are counter-productive, redundant or will adversely affect the network.

- IT does not seem to "talk" to the user community.  It is almost like the goal is allow the users to do whatever they 
want, while IT does everything for them.  Which would maybe be okay, except there is a culture of allowing the users to 
do darn near ANYTHING they want.  I see a real lack of guidance coming from our IT department.

I am leaving this position. I have been unable to figure out how to simultaneously write policies (there are none), 
plan strategy, fight the day-to-day fires and perform proactive, pre-emptive research and analysis by myself within a 
reasonable timeframe to keep up with the ever growing needs of the environment.  Things fall through the cracks, 
mistakes get made. Although some colleagues are beginning to understand that they, too, must become more security 
conscience in the way they approach networking, still security overall takes a back seat.  No one wants to tell the big 
bosses "no", that some of what they want is not feasible at the moment, or that some things will be delayed because we 
are trying to do them correctly now.  Or tell them the real cost of implementing the latest whiz-bang technology 
without shoring up the holes that currently exist.  -- Definitely, no one wants to say that mistakes were made in the 
past, and now we have to correct them in order to get bette
 r and move on.

Francois, I feel for you.  I, too, know that not all environments have to be like what you and I have (are) going 
through.  The choice for me is to leave.  I hope that you will be able to make your management understand that security 
is not one person's job.  Rather, it is a way of thinking and doing business.  To paraphrase the poster, network 
security is not a destination - it is a journey.

Best of luck to you!

Your "sister" for the cause,
Claudia