Slashdot Mirror


Security Responsibility Without the Authority?

Slashdot reader jamie submits this story about security administration. If you have the responsibility for security without the authority to make changes, your only role is to be the fall guy when something goes wrong.

16 of 206 comments (clear)

  1. On the other hand by tverbeek · · Score: 4, Insightful

    On the other hand, having the authority without the responsibility is a much larger disaster waiting to happen.

    --
    http://alternatives.rzero.com/
  2. False priorities by FiReaNGeL · · Score: 4, Insightful

    The phenomenon isnt specific to IT security admins; its the (sad) consequence of corporations with 'false priorities' ('one hand doesn't know what the other is doing' thing). Management ask you to do something they don't have a clue about (in this case, improving security on a network). Then you ask for resources to do the job, and the Finances guys refuse for budget (priorities) reasons.

    Basically, you're stuck in a bad position : management yell at you if anything goes wrong, Finance is annoyed by your constant demands they see no 'use' for.

    Of course, not every business works this way. But it tend to when the company gets too large...

  3. Double-edged sword by fembots · · Score: 5, Insightful

    But what happens when one can set rules and enforce them at the same time? That'll be too much power.

    Usually in a company, IT department takes care of the adminstration of IT-related stuff, and HR takes care of the rules/policies.

    If these two departments don't compliment each other, that's the problem to be fixed, instead of mixing two different roles together.

    That's my personal experience anyway, I find it easier to tell the users to take to HR (or vice versa) than having to deal with (punish) or explain certain policies to users.

    1. Re:Double-edged sword by trashcanman · · Score: 4, Insightful

      I think perhaps you are missing the point that fembots was trying to make. Putting the authority to both make and enforce policy into one department invites corruption and uninformed policy making. I agree with fembots that the policy making group should be independent of the policy enforcement group in any large organization. That being said, I think it is imperative that the policy making group understand the implications of its policy. Thus, having some kind of IT expertise in the HR department (or at least in the IT policy making process) is required to make a policy that is informed and enforceable.

      So all of the actions you alluded to in your comment (password length, firewall rules, etc.) would be the job of IT (or IT Security) to enforce, whereas the the writing of the IT policies would be the responsibility of the HR department (with participation of IT technical resources from within or outside the HR department). This is usually the way it works for physical security in most large organizations.

      ---

      --
      The Dread Pirate Roberts is here for your soul!
  4. one word : document by Anonymous Coward · · Score: 5, Insightful

    as with any job where you might be in a delicate
    position or 'the target' should things go wrong
    that are beyond your control ( whether due to
    lack of authority or lack of omniscience ),
    Document, Document, Document .. do your due
    diligence, report any possible vulnerabilities,
    suspicions of attack and recommended changes to
    your immediate boss, your IT/CIS team and their
    managers. Be public, but don't be patronizing.
    This 'paper trail' will help you immensely should
    you be terminated over some security breach should
    you be able to prove that, were your suggestions
    implemented, the breach could have been prevented.
    Security work is ridden with chance : if there is
    a flaw in the hardware or software that had not
    been documented at the root of a breach, report
    that this is a new issue with that particular
    system and that a patch is available and has ( or
    should, if you lack even the authority to patch )
    be applied immediately, or that a patch is not
    yet available. I'm not a litigious person by
    nature but I wouldn't hesitate to sue on the
    grounds of wrongful termination if i could present
    evidence that i had made those in power aware of
    the problem and had not received authorization
    to make the changes that would have prevented the
    breach.

    If you're the security guy, you Are the fall guy
    by default, but if you don't leave a document
    trail behind to show due diligence you will have
    no cushion for your fall.

    Follow the same basic guidelines that the medical
    profession uses - document anomalies, perform
    frequent monitoring, document changes. All of
    this will help greatly should you be in the
    unfortunately position of having to take legal
    action against a former employer.

    That this is necessary is sad, but it Is
    necessary.

  5. It's all political. by khasim · · Score: 4, Insightful

    It isn't about getting anything out of Microsoft. It isn't about the EULA.

    It's about being able to say that it isn't YOUR fault. You did what EVERYONE ELSE was doing. Then you pull out the magazines and articles about how whatever just happened to you has been happening all over to other companies.

    In many companies, it is more important to not be blamed for a problem than it is to be the one who solved a problem.

    1. Re:It's all political. by ScrewMaster · · Score: 4, Insightful

      Going back even further, remember the phrase "you can't get fired for buying IBM?" That pretty much epitomizes the pack-mentality approach to IT ... do whatever everyone else is doing and you, personally, have your ass covered. Doesn't matter if you've left your company wide-open for a security breach, or simply wasted the company's resources on an inadequate solution. Nowadays, of course, it's "you can't get fired for buying Microsoft" although there are an awful lot of people, from CEOs on down, that ought to have their asses in a sling for that reason alone. From my perspective, if a corporation deliberately stores my personal information using a server OS that is known to have more security holes than the Moon has craters, when that info is stolen the people that made that decision should be up on charges of negligence or worse.

      --
      The higher the technology, the sharper that two-edged sword.
  6. Re:cliches in this industry by Fulcrum+of+Evil · · Score: 4, Insightful

    anyone ever had to use their own property to band-aid something within the company about ready to explode?

    Don't ever do that. If you do, then they think their current budget is fine, so they won't pony up the next time, and, should you ever leave, how are you ever going to retrieve your property?

    --
    "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
  7. Security is everyones responsibility but ... by Anonymous Coward · · Score: 4, Insightful

    ...your only role is to be the fall guy when something goes wrong.

    Any time security goes amuck... look to management as the culpret. If anyone points fingers at anyone else but management they really don't know too much.

    Management has the political power, the money and the fudiciary responsibilty.

    And if they don't know the assessed level of their security and security requirements, this then means they aren't doing their job.

  8. It's still political. by khasim · · Score: 4, Insightful
    Fuck 'em. I want a company that's interested in getting the job done right, not playing stupid blame games when they screw up.
    In which case, you need a boss who understands the politics and is ACTIVELY working to counter them AND has the support of HIS boss.

    Politics happen in companies. Politics happen anytime you get 3 or more people working together.

    It all comes down to different people having different agendas working together in a company with limited resources.

    The sad thing is that once your technical skills are at the "minimally competent" level, you'd be better advised to learn corporate politics to further your career.

    A technical genius without political skills can be used and abused by a mediocre technologist with good political skills.
  9. Security led at the VP level by Skapare · · Score: 4, Insightful

    I used to work at a major financial services company. This was just as commercialism was just discovering the existance of the internet, so I was hired to design and deploy their high speed redundant connectivity. One thing this company did right, I think, is that all of their security was focused through the VP of Auditing, who reported to the CFO. And the guy who had this position was smart enough to know he knew very little about security and had to learn. I actually got to teach him more about it. We formed a group of people (at my suggestion), including another network engineer, two accountants, and one of the staff lawyers, as the security committee. His original mandate was network security. But in our first group meeting I gave a presentation on one of my long long ago hacking efforts (back in the mainframe days) that successfully broke into a major insurance company's three mainframes. I explained to them how I did it using entirely social engineering. Of course I had knowledge of the system, but I didn't utilize any bugs in the system to get in. With this I was able to get the group to change the focus of security from one strictly focusing on computer technology, to one that would be applied to everything the company did. Software bugs and misconfigured servers are, of course, important, but people are the weakest link in security, and this is even more so the larger a corporation is. Every operation of a company must consider security across the board.

    --
    now we need to go OSS in diesel cars
  10. CYA or get another job. by Anonymous Coward · · Score: 4, Insightful

    If you're responsible than you make the recommendations. If they aren't followed you warn of the consequences. If the consequences result your ass is covered. This is BASIC employee CYA.

    If you do your CYA bit well your boss will follow with his CYA bit and eventually someone will sign a check or the memos will stop with someone stupid enough to take the fall. Otherwise you don't want to be working there. Works no fun if you can't do your job.

    If you don't like the CYA game, spend the time and effort you would put into implementing your recommendations into finding another job.

    Life's not that difficult!

  11. Stupid IT Policies by Stupid+White+Man · · Score: 4, Insightful

    I have a client, however, who's IT security policy is so strict (14 characters, alpha, numeric, plus special) that each and every employee has taken to write down their user/password on a post it note and taping it to their monitor or under their keyboard. Just walking through the office you can pick up at least 6 user/passwords. I've tried to argue with the head dick in charge, and all I get is BS. Why put together a security policy so strict that it keeps employees from doing their jobs, or forces them to write down their passwords out of ignorance. Nothing worse than that.

  12. There's a better definition by kafka47 · · Score: 5, Insightful
    I've seen many definitions in the vendor and user side of security. A statement like "responsibility without authority" is highly negative and a little fatalistic, dont' you think? One of the key defining elements for me is that a good security administrator has the ability "to influence without power". That means, being Mr. SecAdmin is as much an exercise in politics as it is in technical werewithall.

    Relate this back to the industry. You're either at the top-level or you're in the trenches. A good security admin will bridge the two as best he/she can. Security fundamentally affects (and is affected by) almost every facet of an organization. I've seen through personal experience a "silo-like" mentality to security policy execution. The secadmins were in their own private bubble that attempted to be dictatory and impervious to external influence. This is wrong, wrong, wrong!

    Unfortunately, the needs of the job amount to being a little political. The decisions must be participatory, or at least giving the appearance of being participatory. That is what gives you buy-in from your users. You might say, "Why should I?" Well, if you're saying that, then you might want to find another job. Its a necessary evil if you care about keeping your org secure. If not, you might be the one complaining after the fact, "They never listened to me". Even if you're merely sitting there explaining why you are doing what you're doing - at least people are involved. You might even be giving them bad news, but at least you're telling them that you're giving them bad news before you change their lives. The real challenge here is finding the right people to involve. :-)

    Good security as much depends on the "how" of security versus the "what" of security. If your methodology is technically correct, cheap, and does the job, but you've dumped it on the organization, then guess what. It ain't gonna fly!

    The article, in its efforts to be concise, has not really justified its claims. Trying to sway the course of one of the largest governments in the world indeed sounds like a recipe for frustration, but does not necessarily map back to the industry in general. Those seem like radically different things. I remember Richard Clarke seeming positively perky during the days of his assumption of cyber-security czar role. Look at him now.

  13. most security is useless... by geoff+lane · · Score: 4, Insightful

    as it addresses the wrong problem.

    The US thinks that taking nail clippers from passengers makes air travel more secure. It doesn't but it looks as though it might.

    Most computer security looks outwards to the internet, forgetting that the biggest threat is sitting inside the firewall.

    We are all surrounded by pretend security that is in position just because it looks good. Real security is a pain in the backside. It is disruptive to the people who have to work with it and it's very expensive. It's also complex and difficult to implement.

    If the security officer in a company cannot overrule EVERY single person in the company on a matter of security, the job is a joke and exists merely as a butt-covering operation.

  14. Re:Dictatorship by pbranes · · Score: 4, Insightful
    Then, what do you propose we do? Go sweet talk the user and ask that they nicely reconfigure their system pretty please with a cherry on top? We aren't just cutting them off of the network - we are giving them a choice - either configure their system properly, or don't be on our network.

    In IT, more often than not, security has to come first, and people's feelings come second - we are talking are personal information being passed around. How do you propose running a network where the emphasis is on sharing and being nice instead of enforcing strict security policies. Go to a warehouse - the physical security of that warehouse doesn't care if you are a nice person or not - they are going to make sure to enforce the security policies on you the same as everyone else. The same idea applies to data security.