Home page logo

basics logo Security Basics mailing list archives

Re[2]: security not a big priority?
From: Adam Pal <pal_adam () gmx net>
Date: Thu, 22 Feb 2007 17:58:27 +0100


I dont think that we should blame the management for such problems.
Just consider the fact, that they have a completely different
education from the IT staff, and also during the IT-boom in the years
before, the depratment often requested new 'toys' which need to be
payed, even if not, the IT department costs more than other usual
departments because of the technology.
Most managers cannot see the use of the money they spend on the
department, in the heads of many there still exists the idea 'if i put
money in, there must come money out', so they cannot understand that
what we do, is to protect them and the company from loosing money.
I personaly, would filter the information you can gather and put
effort into present it in an appropiate language, means in terms of
moeny and numbers.
I think that is a point where much more effort can be put in: to
standardize procedures of IT in order to make those understanable to
the management (i think risk analysis is close to that aim).
To put it in simple words : the IT needs the management (money)
in order to exist, and the management neeeds itself the IT in order to exist.

Best regards,
 Adam Pal   

Wednesday, February 21, 2007, 6:03:58 AM, you wrote:

<==============Original message text===============
TU> Greetings,

TU> First, let me begin my expressing my sincerest condolences for the living
TU> hell that you are about to face within said educational institution.

TU> I have run into similar situations before and essentially, took one of two
TU> approaches. Either way, you're in for a long haul and nothing will be
TU> overnight.  Essentially, begin from below or from above is the simple gist
TU> to my recommendations.  Let me begin by saying your best bet will be to
TU> obtain endorsement from above, so I'll elaborate there first.

TU> The security job responsibilities that were handed down to your current
TU> position stemmed from some sort of defined need.  Whether it was a sincere
TU> need to create a beneficial security change within the university or simply
TU> a 'check box' approach to appeasing some university constituents, you'll
TU> find out soon enough.  Once you find out the true intent for having your
TU> security roles and responsibilities, there is only so much more security
TU> clout that you'll be able to push in addition.  Finding representatives with
TU> more power and concern related to security will be your first priority.
TU> Establishing that level of interaction will provide for an open channel to
TU> creating change at a very important level.  If they have a lending ear to
TU> your situation, you'll be able to bring to light some of the inadequacies of
TU> your immediate manager and portray a lack of support for your security
TU> efforts.  That obviously will not go unscathed.  Hopefully you're conflict
TU> tolerable, b/c it will be uncomfortable to be between two power points: your
TU> immediate boss and the person who you confided with (who presumably has at
TU> least 2 layers over your current boss - the higher you go the better). I
TU> will say that tact is key in interfacing with that level of a person.  You
TU> don't simply walk into their office and lay down the problem. You'll have
TU> to spend much time social engineering your way into their life via personal
TU> or professional traits that will allow you to establish rapport.  After that
TU> groundwork has been laid out and you're a point beside hallway pleasantries,
TU> any given conversation could give way to what is dear to your heart -
TU> actually acting on some of the security talent you have to make a value
TU> added change to the institution.  Again, variables to success will be your
TU> rapport with this high ranking individual, you being notorious for good
TU> work, professionalism, diligence, etc amongst co-workers (regardless if
TU> their in Network Ops or not) or external customers. 

TU> The alternative is to start below...with your immediate boss that is.  This
TU> is tougher, but also requires some degree of selling or social engineering
TU> on your part in order to get into the comfort zone of your immediate boss
TU> and slowly prove the security importance over time.  Some helpful points
TU> might be depicting your security projects as a manner to exalt him and his
TU> accomplishments.  If he doesn't get security at all, use what I call
TU> 'industry parables' (Harvard likes to call them case studies) to get that
TU> shock-n-awe effect....essentially a collection of high profile security
TU> cases that involved similar institutions.  Everyone loves a good story and
TU> hopefully those will be able to convey that his job is potentially on the
TU> line if he's been tasked with protecting student and faculty information in
TU> addition to info related to the institution.  Lastly, as is the case with
TU> many inept managers who may feel intimidated with employees who know above
TU> and beyond their expertise, you'll simply have to give him the impression on
TU> several occasions that you're not out gunning for his job, but rather simply
TU> one of the guys who finds his expertise 'invaluable', 'inspiring', and
TU> 'mentor like'.  It'll be humbling, but being the security altruist that you
TU> probably are, its part of the job and a necessary price to pay to do the
TU> right thing.  Change will be slow and painful if at all.  They'll be times
TU> when you want to truly convey the dire need for some security controls, but
TU> instead you'll have to sit and listen to his network war stories when he
TU> managed a zillion hosts via rsh, wrote shell scripts to ensure NICs were set
TU> to 100-full as a way to claim victory in capacity planning.  

TU> Best of luck and may the force be with you.

TU> By the way, love the quote from B. Schneier in your signature.  He's the
TU> man.

TU> Tony UcedaVĂ©lez, CISA, GIAC
TU> VerSprite, LLC
TU> (office) 678.938.3434
TU> (email) tonyuv () versprite com
TU> (web)   www.versprite.com

TU> -----Original Message-----
TU> From: listbounce () securityfocus com
TU> [mailto:listbounce () securityfocus com] On
TU> Behalf Of Francois Yang
TU> Sent: Wednesday, February 14, 2007 4:33 PM
TU> To: security-basics () securityfocus com
TU> Subject: security not a big priority?

TU> So I have a problem and like to know what you guys think.
TU> I'm a Security Analyst at an Education institute. A community college to be
TU> more precise. So I was brought on board to address security issues and work
TU> on making this place a better place.  Now the problem is. 1. I'm in the
TU> network operation team.  no security group. 2. My boss doesn't seem to know
TU> much about security. 3. My boss doesn't seem to think highly of security
TU> since all my projects seems to be of low priority. 4. I have a long list of
TU> things that needs to be done and they are all waiting for the engineers to
TU> work on it. But again they have better things to do. So what am I suppose to
TU> do? look for another job? :) anyone run into this problem before? I'm at the
TU> point where I'm not sure what to do.

TU> Thanks.

<===========End of original message text===========

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]