mailing list archives
Re: Re: security not a big priority?
From: cwwoods () mindspring com
Date: 19 Feb 2007 13:34:17 -0000
I have read the entire thread. Wow. --- We must be twins. :-) I have been experiencing the exact same thing on my
job. But more so:
- I was hired for Network Security by individuals it now seems really did not understand the concept. When I initially
arrived, the attitude was that I would "secure" whatever project or action was taken. It took a while to get them to
understand that I needed to be a proactive, included member of things from inception.
- Not only do I report to a Network Ops manager, this person - who on one hand admits they have no security background
- sets the agenda for how I go about addressing this area. There are constant conflicts, up to and including my
recommendations and opinions sometimes not being heard because they are perceived as unnecessary, unrealistic, or
- I am the only person dedicated to network security. That is not necessarily a huge issue. The larger issue is that
the perception is that I alone should somehow be able to do everything, and I should be able to do everything by
myself. The last major virus outbreak we experienced, after a couple of days it became obvious that I could not scan
EVERY cpu by myself. However, I was turned down when I asked for help (Our helpdesk was allowed to low-priority my CPU
scan tickets.) And in the end, management was thoroughly displeased with how the whole incident was handled (took too
long, users were upset, etc). Meanwhile, I was a wreck from having worked about 40 hours in a three-day period. ... An
- The entire IT dept is nearly completely reactionary. We have no CIO, and our IT leader is not seen as an equal by
the other top-level executives. Basically, whatever requests or whims other departments want, we wind up trying to
accommodate. Even if the wishes are counter-productive, redundant or will adversely affect the network.
- IT does not seem to "talk" to the user community. It is almost like the goal is allow the users to do whatever they
want, while IT does everything for them. Which would maybe be okay, except there is a culture of allowing the users to
do darn near ANYTHING they want. I see a real lack of guidance coming from our IT department.
I am leaving this position. I have been unable to figure out how to simultaneously write policies (there are none),
plan strategy, fight the day-to-day fires and perform proactive, pre-emptive research and analysis by myself within a
reasonable timeframe to keep up with the ever growing needs of the environment. Things fall through the cracks,
mistakes get made. Although some colleagues are beginning to understand that they, too, must become more security
conscience in the way they approach networking, still security overall takes a back seat. No one wants to tell the big
bosses "no", that some of what they want is not feasible at the moment, or that some things will be delayed because we
are trying to do them correctly now. Or tell them the real cost of implementing the latest whiz-bang technology
without shoring up the holes that currently exist. -- Definitely, no one wants to say that mistakes were made in the
past, and now we have to correct them in order to get bette
r and move on.
Francois, I feel for you. I, too, know that not all environments have to be like what you and I have (are) going
through. The choice for me is to leave. I hope that you will be able to make your management understand that security
is not one person's job. Rather, it is a way of thinking and doing business. To paraphrase the poster, network
security is not a destination - it is a journey.
Best of luck to you!
Your "sister" for the cause,
- Re: Re: security not a big priority?, (continued)