Security Basics mailing list archives

Re: Re: security not a big priority?

From: "Jason P. Rusch" <saltynetguru () infosec-rusch com>
Date: Fri, 23 Feb 2007 12:13:38 -0500

OK I'm gonna go a bit off topic here but bear with me as I believe this
is an important part of this thread.

I weighed in on this earlier and not to try to come across the wrong way
but one thing I think that allot of us are wrong on as far as our
approach to this problem is the scare tactic. It simply doesn't work,
highlighting to management what has happened to similar businesses that
didnt take proper steps in security doesn't for whatever reason in most
cases motivate them to make the proper changes. The only exception I've
ever seen to this is when it is a risk tied to compliance of something,
PCI, SOX etc....

some of the reasons I think that management is not motivated by the
scare tactic are;
A; You are just the security guy and its your job to be overly paranoid,
B; it wont happen to us, we are 1 network out of 10,000's
C; Security people don't explain the risks in a language (business
terms) they understand.

I still at times try to highlight what bad things can happen but more in
a risk analysis form, not the scare tactic way. Also The best way to get
something done honestly isn't the scare tactic, but try to tie the
security things you want to accomplish to how it supports the operations
and how it benefits production more than how it prevents bad things from
happening. 


This is an old article but I think highlights what I'm trying to say.
http://www.landfield.com/isn/mail-archive/2001/Feb/0044.html


-- 
Sincerely 

Jason P. Rusch, CISA/CISSP/N+ 
Information Security Manager 
Wesley Chapel, FL 33543 
saltynetguru () infosec-rusch com 
AOL IM: SaltyNetGuru
www.infosec-rusch.com


"There is no patch for stupidity"

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you
received this in error, please contact the sender and delete the
material from any computer.


---------------------------------------------------------------------------
This list is sponsored by: BigFix

If your IT fails, you're out of business - or worse.  Arm your 
enterprise with BigFix, the single converged IT security and operations 
engine. BigFix enables continuous discovery, assessment, remediation, 
and enforcement for complex and distributed IT environments in real-time 
from a single console.
Think what's next. Think BigFix. 

http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/
---------------------------------------------------------------------------

Current thread:

RE: security not a big priority?, (continued)
- RE: security not a big priority? Nhon Yeung (Feb 15)
- RE: security not a big priority? Craig Wright (Feb 15)
- Re: security not a big priority? Henry Troup (Feb 15)
- Re: security not a big priority? saltynetguru (Feb 16)
- Re: Re: security not a big priority? Anonymous (Feb 19)
  - Re: Re: security not a big priority? Jax Lion (Feb 19)
    - Re: Re: security not a big priority? Alexander Bolante (Feb 20)
- Re: Re: security not a big priority? cwwoods (Feb 19)
- Re: security not a big priority? steve . dake (Feb 20)
- Re: Re: security not a big priority? mehtaharshal (Feb 21)
  - Re: Re: security not a big priority? Jason P. Rusch (Feb 23)
    - RE: Re: security not a big priority? David Gillett (Feb 26)