mailing list archives
Re: security not a big priority?
From: steve.dake () gmail com
Date: 19 Feb 2007 18:38:05 -0000
Wow. I must have many twins out there. This is too much like my last position. They brought me in to "head the security
program" and come to find out, they simply wanted a "security person" to be responsible for all security issues, but
with no political clout or backing to do anything about it.
I worked hard at developing the policy, and processes needed. Working closely with internal audit and creating a "C
level team of security champions" helped allot.
The IT area however, depended on two very stubborn junior level admins that wanted to continue to rely on smoke and
mirrors as they had since the 90's. Their boss and friend (the IT manager) was also my boss which created a major
conflict of interest - they chose to perceive security as something that interfered with the shortcuts they had relied
on for years (like 3 character passwords that never changed..) - it required them to do something different. The only
concept they had of security was AV and a firewall, and they did not want to hear anything more. It was a totally
reactive culture that never planned ahead...That was a nut that I could not crack, and eventually gave up.
I hate to say it, but sometimes you have to leave uselessness behind and walk. I am much happier now working as a
consultant. Its kind of amazing how you can write up findings and recommendations on the inside and no one takes it
seriously, but as soon as an external consultant says the same thing, then bingo- now its a priority...
I did learn from the experience:I will now be very mindful of the org and reporting structure, as well as how employees
are rewarded and other individuals' job descriptions. With out proper incentive, you can not get people to change their
habits - even if they know its wrong.
- Re: security not a big priority?, (continued)