Security Basics mailing list archives
Re[2]: security not a big priority?
From: Adam Pal <pal_adam () gmx net>
Date: Thu, 22 Feb 2007 17:58:27 +0100
Hello I dont think that we should blame the management for such problems. Just consider the fact, that they have a completely different education from the IT staff, and also during the IT-boom in the years before, the depratment often requested new 'toys' which need to be payed, even if not, the IT department costs more than other usual departments because of the technology. Most managers cannot see the use of the money they spend on the department, in the heads of many there still exists the idea 'if i put money in, there must come money out', so they cannot understand that what we do, is to protect them and the company from loosing money. I personaly, would filter the information you can gather and put effort into present it in an appropiate language, means in terms of moeny and numbers. I think that is a point where much more effort can be put in: to standardize procedures of IT in order to make those understanable to the management (i think risk analysis is close to that aim). To put it in simple words : the IT needs the management (money) in order to exist, and the management neeeds itself the IT in order to exist. -- Best regards, Adam Pal Wednesday, February 21, 2007, 6:03:58 AM, you wrote: <==============Original message text=============== TU> Greetings, TU> First, let me begin my expressing my sincerest condolences for the living TU> hell that you are about to face within said educational institution. TU> I have run into similar situations before and essentially, took one of two TU> approaches. Either way, you're in for a long haul and nothing will be TU> overnight. Essentially, begin from below or from above is the simple gist TU> to my recommendations. Let me begin by saying your best bet will be to TU> obtain endorsement from above, so I'll elaborate there first. TU> The security job responsibilities that were handed down to your current TU> position stemmed from some sort of defined need. Whether it was a sincere TU> need to create a beneficial security change within the university or simply TU> a 'check box' approach to appeasing some university constituents, you'll TU> find out soon enough. Once you find out the true intent for having your TU> security roles and responsibilities, there is only so much more security TU> clout that you'll be able to push in addition. Finding representatives with TU> more power and concern related to security will be your first priority. TU> Establishing that level of interaction will provide for an open channel to TU> creating change at a very important level. If they have a lending ear to TU> your situation, you'll be able to bring to light some of the inadequacies of TU> your immediate manager and portray a lack of support for your security TU> efforts. That obviously will not go unscathed. Hopefully you're conflict TU> tolerable, b/c it will be uncomfortable to be between two power points: your TU> immediate boss and the person who you confided with (who presumably has at TU> least 2 layers over your current boss - the higher you go the better). I TU> will say that tact is key in interfacing with that level of a person. You TU> don't simply walk into their office and lay down the problem. You'll have TU> to spend much time social engineering your way into their life via personal TU> or professional traits that will allow you to establish rapport. After that TU> groundwork has been laid out and you're a point beside hallway pleasantries, TU> any given conversation could give way to what is dear to your heart - TU> actually acting on some of the security talent you have to make a value TU> added change to the institution. Again, variables to success will be your TU> rapport with this high ranking individual, you being notorious for good TU> work, professionalism, diligence, etc amongst co-workers (regardless if TU> their in Network Ops or not) or external customers. TU> The alternative is to start below...with your immediate boss that is. This TU> is tougher, but also requires some degree of selling or social engineering TU> on your part in order to get into the comfort zone of your immediate boss TU> and slowly prove the security importance over time. Some helpful points TU> might be depicting your security projects as a manner to exalt him and his TU> accomplishments. If he doesn't get security at all, use what I call TU> 'industry parables' (Harvard likes to call them case studies) to get that TU> shock-n-awe effect....essentially a collection of high profile security TU> cases that involved similar institutions. Everyone loves a good story and TU> hopefully those will be able to convey that his job is potentially on the TU> line if he's been tasked with protecting student and faculty information in TU> addition to info related to the institution. Lastly, as is the case with TU> many inept managers who may feel intimidated with employees who know above TU> and beyond their expertise, you'll simply have to give him the impression on TU> several occasions that you're not out gunning for his job, but rather simply TU> one of the guys who finds his expertise 'invaluable', 'inspiring', and TU> 'mentor like'. It'll be humbling, but being the security altruist that you TU> probably are, its part of the job and a necessary price to pay to do the TU> right thing. Change will be slow and painful if at all. They'll be times TU> when you want to truly convey the dire need for some security controls, but TU> instead you'll have to sit and listen to his network war stories when he TU> managed a zillion hosts via rsh, wrote shell scripts to ensure NICs were set TU> to 100-full as a way to claim victory in capacity planning. TU> Best of luck and may the force be with you. TU> By the way, love the quote from B. Schneier in your signature. He's the TU> man. TU> Tony UcedaVĂ©lez, CISA, GIAC TU> VerSprite, LLC TU> (office) 678.938.3434 TU> (email) tonyuv () versprite com TU> (web) www.versprite.com TU> -----Original Message----- TU> From: listbounce () securityfocus com TU> [mailto:listbounce () securityfocus com] On TU> Behalf Of Francois Yang TU> Sent: Wednesday, February 14, 2007 4:33 PM TU> To: security-basics () securityfocus com TU> Subject: security not a big priority? TU> So I have a problem and like to know what you guys think. TU> I'm a Security Analyst at an Education institute. A community college to be TU> more precise. So I was brought on board to address security issues and work TU> on making this place a better place. Now the problem is. 1. I'm in the TU> network operation team. no security group. 2. My boss doesn't seem to know TU> much about security. 3. My boss doesn't seem to think highly of security TU> since all my projects seems to be of low priority. 4. I have a long list of TU> things that needs to be done and they are all waiting for the engineers to TU> work on it. But again they have better things to do. So what am I suppose to TU> do? look for another job? :) anyone run into this problem before? I'm at the TU> point where I'm not sure what to do. TU> Thanks. <===========End of original message text===========
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: security not a big priority?, (continued)
- Re: security not a big priority? Brian Loe (Feb 15)
- Re: security not a big priority? Nathaniel Hall (Feb 15)
- Re: security not a big priority? gerald_309 Gerald (Feb 15)
- Message not available
- Re: security not a big priority? Francois Yang (Feb 15)
- Re: security not a big priority? Jason P. Rusch (Feb 16)
- RE: security not a big priority? David Gillett (Feb 16)
- Re: security not a big priority? Isaac Perez (Feb 16)
- Re: security not a big priority? Aman Raheja (Feb 19)
- Re: security not a big priority? Sandip Wadje-Infosec (Feb 19)
- RE: security not a big priority? Tony UcedaVĂ©lez (Feb 21)
- Re[2]: security not a big priority? Adam Pal (Feb 23)
- Re: Re: security not a big priority? Anonymous (Feb 15)
- Re: security not a big priority? Francois Yang (Feb 15)
- Re: security not a big priority? crazy frog crazy frog (Feb 15)
- RE: security not a big priority? Nhon Yeung (Feb 15)
- RE: security not a big priority? Craig Wright (Feb 15)
- Re: security not a big priority? Henry Troup (Feb 15)
- Re: security not a big priority? saltynetguru (Feb 16)
- Re: Re: security not a big priority? Anonymous (Feb 19)
- Re: Re: security not a big priority? Jax Lion (Feb 19)
- Re: Re: security not a big priority? Alexander Bolante (Feb 20)
- Re: Re: security not a big priority? Jax Lion (Feb 19)