Slashdot Mirror
Security's Shaky State
Ant writes "According to InformationWeek, Information Technology (I.T.) security professionals say when it comes to security, most I.T. departments are underfunded, understaffed, and underrepresented.
Resourceful I.T. security professionals are getting the job done, but their efforts have been hampered by undersized staffs and underfunded budgets that limit choices ranging from what products they buy to the vendors they work with."
A major part of the problem is that CFO types don't like spending money on things they don't see a need for. By the time they see a need for security, it's past the point at which throwing money at the problem will fix things.
Likewise, the security side of an I.T. department is the sort of job that is hard to justify to people who assume that if they don't notice results, the job isn't really doing much.
Ah the glory of an invisible job.
-JMP
Bitch bitch bitch. You'd think IT was a profit center.
The IT Security department does more preventative solutions then anything else... so basically, if you don't hear booh about them, it's a good thing. Essentially, the better the job they do, the less the management of a company realizes they are important. "Oh, well we haven't gotten hacked in 3 years... we can afford to cut our security department budget this quarter".
LINUX ONLINE POKER: Linux Poker
First sentence==Second sentence. What a shitty article!
All these workers should just go on strike! I wonder how long it would take before the companies started meeting their demands ;-). It wouldn't take many security breaches.
Arrrrrrr
In Fight Club, there is a scene in the beginning where Ed Norton is explaining how they determine the possibility of a car recall by tallying up the amount paid out to owners of faulty vehicles vs the total cost of recall. It turns out that the value they came up with for each life lost to the vehicle fault is very small.
The value of lousy IT and a data breach is less than the value of good IT and full protection, so it's cheaper to just stick with lousy IT and handle issues as they come than to face it all up front with the added costs involved. It's also why "IT professionals" are the lowest paid screwdriver monkeys in the business, at least compared to other programmers.
Their pay both pale in comparison to executive pay, but it's hard to compare the value of brains vs technical smarts.
Jesus saved me from my past. He can save you as well.
Sounds to me like the cries of thousands of unemployed and underworked people who jumped into the IT security wagon.
our company has revenues of over 2.5 billion and we pay half a dozen Infosec idiots with 15 initials after their names to fuck arould and write a 500 page RFP for the best hard drive forensics tool, meanwhile the Win2k drones run themselves ragged trying to keep up with Patch Tuesday.
Security doesn't tend to have a pretty interface that managers can see; managers love eye candy. It's a bit similar to the case where you will develop the interface before the backend. If you spend 6 months working hard on a backend, a client/manager will think you haven't been doing much. If on the other hand you have a nice colourful interface to show them after 6 months regardless of functionality, they will love you.
Sarbanes-Oxley act is the new security-minded sysadmin's best friend.
Managers and Execs start taking IT security a hell of a lot more seriously when they realize they can go to jail if they're implicated in fraud.
To comply with SOX, you have to document all your procedures, all your data flow, and make it available to gov't regulators. You also have to document what holes you're aware of in your systems and how you plug them.
Whistleblowing is quick, easy, anonymous, and DEVESTATING.
SOX ROX.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
...what is it, when it comes to the 'Securiy Theory of Everything'? What is the Holy Grail of security?
It's unfortunate that unions have gotten such a bad rap, especially among engineers in the computer-related fields. For all the Randian talk of rugged individualism, most people really are just sycophants and sheep. That's not bashing, it's just the way it is. For every engineer demanding better pay and working conditions, there are one thousand who are just happy to collect a paycheck every two weeks. If the industry was made up of solely the former type of engineer, there really wouldn't be any need for unions, each person acting in his own self-interest would be a union unto himself.
However, when you look around and see people working 40+ hours a week, working on the weekends, working through the night, showering at work because they don't have time to go home, and being pushed through project cycles that are causing undo stress, something is wrong. The balance of power is not maintained and the employers are exploiting the engineers. That "great" paycheck you're raking in every two weeks suddenly comes out to barely double minimum wage when you break it down hourly. The cost to your family is also incredibly high as they don't have you around. It's a terrible situation.
So what's the solution? Well, the favored solution among the computer cognoscenti is to "go find yourself a new line of work". Why should someone who is good at their job be forced to take a different job just because the industry is unwilling to offer a fair wage as well as reasonable working conditions? It should not be a requirement that anyone who wants to work in the computer industry should also be forced to give up their personal lives. Unionizing is one very good way of forcing employers to bend to the needs of the employed.
It's unfortunate that so many people are against the idea. We ought to be working to live, not living to work.
Jesus saved me from my past. He can save you as well.
There's not much you can really do about it. You can buy all the "security" in the world and the next M$ worm will still take out your servers and your desktops. The only thing more staff does is make the recovery faster, but the limit is how fast Microsoft themselves fix the real problem. Beyond that, you block ports and services until things go away, which is not much better than broken.
At big companies, the problem is NOT a lack of resources, it's resources poorly spent. The quoted ratio is 1:5, one Unix admin can do the work of five Windoze admins.
Friends don't help friends install M$ junk.
"In Fight Club, there is a scene in the beginning where Ed Norton is explaining how they determine the possibility of a car recall by tallying up the amount paid out to owners of faulty vehicles vs the total cost of recall. It turns out that the value they came up with for each life lost to the vehicle fault is very small."
In one of my college courses, we saw copies of documents from the desk of a GM executive, detailing the same.
Who needs movies as examples, when reality is just as depraved?
Security is underfunded because the whole point of business is to underfund everything you possibly can to make a buck.
Religion is a gateway psychosis. -- Dave Foley
My biggest beef is not the lack of staff or budget but the lack of discipline. Nowadays it seems that everyone *needs* a computer at their desk, and they seem to have no problem misusing company resources. I don't mean things like checking email while on the clock, but rather installing their favorite IM program, or perhaps a fancy calendar doodad or toolbar (laced with an unhealthy dose of spyware, of course). Let us not forget those "important people" higher up the chain that would have your hide if you even mentioned that perhaps they shouldn't be using Kazaa on a company machine or opening every email attachment under the sun.
There was a day where staff were wary of computers, and treated them with respect. Those days have long past... all they're wary of is that weird IT guy who tries to tell them what to do with their machine.
I'm just curious...
It talks a lot about how staffing hasn't gone up. But an admin worth his salt will make his job easier over time. Creating scripts, getting the hang of how to fix problem x the fastest. Getting used to patching/upgrading. I guess the real problems occur when large scale changes take place. Everyone migrates to another platform, or building X Y and Z now connect remotely. But as far as the usual day to day issues, if you're caught up I don't see what the big hassle is... the more you automate for yourself the easier it becomes.
It would be nice if these large transitions were better planned. Such that in large corporations more of the IT would shift to where the major upheaval is occuring (I'm guessing that there usually isn't enough IT to throw at the problems). I'm also guessing that often times the magnitude of these transistions are underestimated in terms of time needed, and people. But once again, I still don't see the 'normal' day to day conditions being a major problem for someone who has settled in. Of course I could be completely off base and will raise holy hell with a whole bunch of sys admins / varied IT peoples who will declare some sort of technical jihad, and come busting down my door in 5 minutes telling me how really wrong I am.
The article just said "security professionals are getting the job done". How could they be underfunded? If the potential gains will be marginal, how much more money could you throw at the problem before it becomes unprofitable? And the cost of increased (as in ultra paranoid) security is not just in staffing and purchases. It also puts a strain on all the systems and employees in the company. I'm not saying there aren't companies in dire need of better security, but like your accounting department, security is a zero profit area that you don't want to see growing year after year, unless you already have some big, costly security problems that need fixing.
Good security isn't something you can easily achieve by spending a lot of money anyways. Just plan on having good security from the beginning so that you don't have a big security problem to patch up later, undoubtably at the cost of interruptions to your business. Try to do things right the first time.
First of all, I agree that security is a typically under-appreciated job. However, I've also seen what happens with security has the power to implement whatever tools/measures they want. That situation is probably worse than the lack of security at most places...not only can your security team get in the way of the business with insane risk avoidance policies (making the business less efficient), but it can be directly expensive in the price of staff and tools.
Security people need to understand that not every risk has to be avoided. Many risks are an acceptable trade off to allow the business to be efficient. Honestly, I want my security team to be a little paranoid...but I want their manager to have a good understanding of the impact security policies can have on the people who do the things that bring money into the company.
Kind thoughts do not change the world
not really
The notion that security is a "never" seen is exactly the wrong thinking that causes security not to be a problem. Would a hacker announce that he's rooted your network??? You still need highly trained security professionals on your network for exactly this reason - security cannot be a "hide underneath a pile of coats and hope everything is fine" IT approach.
For most CIOs, their understanding of security doens't extend further than users having local admin rights, spam, viruses and spyware. Other than that, most CIOs barely even know what data they are sending off their network unencrypted.
At the last place I worked, the network admin had no packet sniffer, no IDS, no honeypot, applied weak password policies through Active Directory and ran one application (SpySweeper) to manage all the spyware on the network.
Hagrin.com
Sounds like the IT guys interviewed here took a cue from the nurses' union, which complains of "understaffing" every time you turn around, so they can get more members.
sulli
RTFJ.
... the Engineers and engineers; we doers, designers and other coal face bunnies have to eat some of the blame for under-funding and under-recognition.
If we could accurately quantify the benefits of what we want to do; and there MUST be a simple investment/payback model that any managoid can understand for anything you want to do. We are smarter than them, yet more often than not we bitch about how dumb the senior management is rather than use our smarts to convince them.
Trust me; do your research, present in simple terms the cost of the investment in (insert program here) vs. the cost of not doing it. Remember to quantify the risks in FINANCIAL terms. Lost productive hours; Loss of commercial advantage.
Take an active role in developing Key Performance Indicators for the organisation if it has such programs.
At the end of the day, baby boomers are, by and large, idiots as well as our bosses; they dont get the modern world. We have to present it to them in simple cost accounting terms. The more successful we are at communicating in these terms, the bigger our budgets will be.
Remember, businesses dont/shouldnt SPEND money... they should INVEST it; this is the way to convince and influence PHBs and managoids.
Anyway, just my $0.02AUD
err!
jak.
I work as a software engineer for a very large company in the US. After 5 years with limited security and no virus scanning of email, the company network was beat down internally by every virus known to man. The "solution" was a very unfocused initiative. IT did stupid things like block every attachment via email (driving us nuts) while not making antivirus software mandatory. People would just plug a laptop in the network and spread everything they had on it. The IT department should have focused on handling the virus instead on trying to avoid them all together. They will get on the network anyways. Another "smart" thing they did was block access to Windows Update to make installing patches difficult. They had the staff, but not the knowledge and plan. That's more important in my opinion.
gasmonso http://religiousfreaks.com/Here's why: They are outsourcing all IT jobs to India. In other words, they create the problem because after out sourcing, no new blood is attracted to fill the ranks of the IT colleges.
After creating the problem, they then lament about the problems they face...sheesh!
Hey, who are we in IT to question what thousands of MBAs and Microsoft have done?
When IT workers unite, the employers take the work offshore and workers' rights go right into the toilet with their jobs.
And then these same employers quickly learn that offshoring is to data security what Al Qaeda is to peace, freedom and tolerance.
Ask Cisco and Citibank how they feel about that...
--- Grow a pair, liberals... stop letting the Republicans bully you!
It's utterly stupifying that with the wealth of best-practices knowledge that (as just one example in an overflowing sea of security issues) the majority of online banks use such lame authentication practices....
If the banks can't get this one simple issue ironed out satisfactorily, we really shouldn't be surpriesed at the general state of security being abysmal in the world of computing.
Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind. - Dr. Seuss
I think if a company's system is breach and fraud or ID theft is perpetrated the time, expense, cost of new SS#, accounts, lawyers, etc. should be borne entirely by the entity responsible for the data's security. Putative damages if warranted, should also be assessed to punish irresponsibility.
If the perps are ever identified and apprehended they should be severely punished civil & criminal.
Who will guard the guards?
http://www.419eater.com/
There are entire groups of civilians devoted to bringing down criminals and other IT security nightmares. The guys and gals at 419Eater do a better job than eBay in policing fake escrow sites, and taking them down [legally most times I'd hope].
Saskboy's blog is good. 9 out of 10 dentists agree.
That being said, you can't expect a top security expert to be hired straight off of Micky D's Burger Tossing College and then bitch about internet security.
In my honest opinion, real security would become a reality if the system administrator's salary is more than the CEO's, as the CEO is nothing more than a figurehead of a company, with no redeeming talents or education.Any CEO doesn't have the knowledge to wipe his/her own ass, much less run a company.They don't even know how to brush their teeth for chrissakes.
(or it could be they are felchers).
This is news?
A new car built by my company leave somewhere traveling at 60 miles per hour. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field (A) multiply it by the probable rate of failure (B) then multiply the result by the average out of court settlement (C). A times B times C equals X. If X is less than the cost of the recall, we don't do one.
The quote is certainly meant to talk about the value of life, but not as a quantitave value. It's meant to show how little corporations care for anything besides money (and also slightly parallels the Ford Pinto safety debacle).
"We've never had a fire.
Let's get rid of those ugly sprinklers and fire alarms."
I have been looking for good introductory material on security on various platforms, and I have had great difficulty. To make matters worse, I attend a small to medium sized university that does not have a definitive focus in computer science. It's so hard to discuss and encourage discussion in a topic that is simple not taught on a large scale level at the university. Sure, the class was offered once the entire time I attended. The problem with securing systems and security in general is the knowledge that both the general users and even technical individuals have about it.
Unbelievable. I should have paid attention when /. hit that iceberg.
2 001/08/16/ED211776.DTL
Has sulli ever been to a hospital and seen how long it takes for a nurse to get to a patient now? I've been there and seen it in person. These nurses aren't lazy, there simply are too few of them for all the patients on a given floor.
Here's some information for sulli to read and be educated.
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/
Now, as for IT security, may sulli's credit card data be guarded by companies run by execs who follow his/her line of reasoning. Not mine.
How could such an utterly factually wrong and trollish post get a +1? The credibility of moderation on here is shot to crap with pluses being given to such intentionally stupid comments.
--- Grow a pair, liberals... stop letting the Republicans bully you!
Newsflash! Unions look out for their own members, and try to get more. It's called acting in their own interest.
sulli
RTFJ.
Unfortunately, at some point it all boils down to perception.
The chanllenge for IT boils down to how well they can hussle management into taking their concerns seriously enough. Most often while playing second fiddle to ignorance and ego.
But then again, you could accuratly say the same thing about any other I.T. Dept.
I.T. is a cost center of _any_ business, not a profit center..
"Consider how lucky you are that life has been good to you so far. Alternatively, if life hasn't been good to you so far
underfunded budgets that limit choices ranging from what products they buy to the vendors they work with.
The other side of this, is that even when companies do have the budgets for these fancy-schmancy products from uber-repected vendors, it's often the users, and their lack of awareness or education about their role in security that's the weak link.
"Ein Volk, ein Reich, ein Führer." -Adolf Hitler
"We are one Nation, we are one People." -The One 'leader'
Chances are, any department will say this because they always view situations as win-lose. IE. If the marketing dept. gets $100k, we aren't getting $100k. Every department could use more money, it's a given.
Fair enough.
e s/main536999.shtml. shortage/
http://www.cbsnews.com/stories/2003/01/17/60minut
http://archives.cnn.com/2001/HEALTH/05/07/nursing
I guess this means nurses own the media, universities and every other organization that has measured nurse to patient ratios in hospitals, too. Either that or the people who work there have been in the hospital at some time and have been blackmailed with the option of printing the nurses' side of the story or dying from poor care (how wude!).
In either case you'd be better off shaking your appendix with joy and welcoming your registered nurse mistresses, than claiming there isn't a shortage...
--- Grow a pair, liberals... stop letting the Republicans bully you!
This is just what I have been telling people like one hunred years ago in my city, but did nobody listen? no. All they thought that where they just can get cheapest possible job offer.
Think about it! Some security companies are under influence of other companies that of course sponsor these companies. In exchange they are using that software companys software and they'll sell more. kind of relief for the security company, but it can be pain for customers who don't want to rely on those softwares.
Think about windows and it's upgrades, virus-security, adware and other malmware. (Yeah I put windows updates to same class with viruses. they do allmost same damage, but from different kind of way.) Somebody has to do that for organizations like schools and such. The problem is that people don't know about computing enI realised this back in 1996 and chaged to Gnu/Linux for my own good. I dumped windows off from my hd at 2001.ought. If they just knew the thing that using computer isn't complicated and if they just would read the lines in screen it would be a lot of simplier for them. I think that there would be lots of otherways to go around this kind of problems, but making them rely on some security company that is underinfluenced doesn't make it better for sure.
-Andy-
Shop them to the fuzz.
(Chooose the laws that apply in your country/industry)
You'll find that the Data Protection Act, FSA Regulations, Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, the Bank Secrecy Act, and the Health Insurance Portability and Accountability Act should be enough to get them in court.
hot cups of coffee not withstanding.
m cdonalds.htm
Dude.
McDonalds was selling 180-190F coffee. That's 3rd-degree burns in 2-7 seconds if you spill it on yourself. She was the passenger, in a parked vehicle, and had difficulty removing the lid. Whoops, splash, AAAIEIEIE!! Reconstructive surgery to her genital areas; 3rd degree burns over 16% of her body. Worst scald burns the doctor had ever seen.
She was 79.
McDonalds had known of 700 cases of 2nd and 3rd degree burns like this caused by their coffee, over the prior 10 years, but refused to turn down the temperature. $2.7 million dollars in punitive damages.
In their favor, she was found to be 20% responsible for the accident.
http://www.centerjd.org/free/mythbusters-free/MB_
I've seen this time and time again - maybe I'm just getting too cynical for my own good ;-).
As far as I can tell, in quite a few companies IT Security staff are only employed as a gesture towards corporate risk management. In other words, as long as the gesture exists there is an apparent legitimate claim that effort was put in to mitigate a risk.
When (not if) the inevitable happens, it doesn't take a rocket scientist to work out whose head will roll. For those who haven't reached their operational caffeine level yet: it's not going to be an executive.
Having said that, I'm glad to come across more and more evidence that quite a few companies at least *DO* get it so maybe there is hope.
Insert
Why do they think network security is any less important than physcial security?
Unfortunately because we don't do a good job justifying it in most cases. I'm a weird IT security type in that I have a finance & banking undergrad and am finishing it off with an MBA. I can analyze cashflows faster than the CFO and use MIRR/NPV models that are much more comprehensive and accurate than the "payback period" nonsense the financial dept relied upon.
When you understand finance better than the other managers and can explain security from that perspective to an executive committee that values rational decision-making, you'll do very well. However, leave it to irrational decision-makers, or just come in talking about abstract risks (to these people they usually are making up their own needs based on a lack of hard data, so your security horror stories are no different to them) and you'll fail to get support.
The biggest problem I see with our clients is that the IT security managers are all promoted technical people (who were usually competent in their technical area), but couldn't prepare a capital budget if their life depended upon it. If you can't speak the protocol of the decision makers, you will usually fail in obtaining resources and support.
The science journal, Nature, has reported that water is wet.
Security has always been a problem, and probably always will, because there the risk is very difficult to quantify. "You should install XYZ because it'll probably maybe sorta keep out attackers." doesn't quite cut it when you ask for $500k to implement it. And the field is changing too quickly to commoditize certain security issues (A/V and simple encrypted point-to-point communications excluded).
Also, much of security is built upon black magic-- so few people understand things like cryptography, it's a bit like 'security through obscurity'.
My $0.02.
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
//Information does not want to be free; it wants to breed.
This is not the case where I'm working. Our IT department is all-powerful, and security rules are so strict that they in fact prevent us from working.
As an example, those useless motherfuckers refuse to give us VPN access to work remotely, so we have a big pain to get our job done when not in the premises. Of course, this reflects in our productivity. It seems as if the IT department is the one making money for the company, they are the rulers, and we have to shut up and obey.
The only folks I saw who were quoted in the article worked either for state/local government or a university. I'm sorry, but private industry is an entirely different animal. Perhaps out of your 1,500 respondents, folks, you should give us an idea of the breakdown.
When it comes to ANYTHING (not just security), most IT departments are underfunded, underrepresented and understaffed.... Thank you, Captain Obvious!
'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman
Apparently another Outlook trojan has exploited InformationWeek's copy of Excel.
No, seriously, stare at their chart for a minute....there ya go!
My second (and more serious) comment is that we can't really be expected to take seriously a corporate division's introspection that it is perpetually underfunded. The conflicts of interest and problems of impartiality are so blatant that they would leap out at a retarded intern, and I cannot for the life of me understand why something like this would be published as "research". If you really want to know whether IT is underfunded, take enough data points (hundreds, hopefully) to draw the curve that represents security incidents vs dollars spent and ask senior management of each company if they're where they want to be on that curve. Then, do the same thing for compliance incidents...
I recall talking with a very experienced, capable security expert who had founded a company (and was CEO). The remark that sticks in my mind was along the lines of, "No one can make much money in this business, because customer executives never buy the security their company needs - they buy the very minimum to avoid being successfully sued for negligence if the shit hits the fan".
I am sure that there are many other solipsists out there.
From many of my IT experiences, 20 years worth, I've found a worsening trend over the past 9 years in all facets of IT becoming under funded, understaffed and underrepresented in smaller corporations and business. I attribute this pretty much to greed, business ignorance concerning IT and the glut of IT personnel in the job market.
Something I've seen a lot of in the past few years with smaller corporations has been the continued placement of IT under a CFO. I have always found this practice to be a formula for disaster. It still confounds me when I see a corporation intrusting its technology assets to an MBA and not a qualified Technology expert. Yes, I know it's breaking years of tradition but it needs to happen in even smaller businesses.
In the past five corporations I've worked with I've witnessed the exact same process in which the CFO becomes threatened by the IT management and staff. What happens is that they constantly offer the company ideas and projects that the CFO finds too expensive. He in turn forces through cheaper alternatives that the board jumps on despite impassioned emails from the IT staff claiming disaster will occur.
Eventually these failures of technology mount up with the CFO blame shifting and the IT staff expending CYA files. A stand off occurs, everyone loses trust then lies, back stabbing, staff shortages, budget sabotage, etc... occur.
Eventually either the CFO goes or the IT staff but seeing most CFO's I've known have been playing the corporate political game far longer, manage to win out through tactics designed to strain the IT staff to the breaking point.
I've had several CFO's tell me that it's easier for them to hire one of the thousands of over certified, underpaid and inexperienced IT types, coerce and leverage the hell out of them for every hour and penny expecting an 18 month half life from the employee. The employee then either wises up and quits or screws up enough to get fired. The CFO then simply repeats the process. One said he preferred the H1B's because they have an approximate 24 month half life using this philosophy.
I say smaller corporations need to break with tradition, bight the salary bullet and create a CIO position independent from the CFO! Either do that or don't have an IT staff at all and contract out everything. If this doesn't happen they can expect eventual major IT unions to rise up soon.
not InformationWeek. Shame on /. editors for not giving proper attribution.
Mike Fratto, Editor, Secure Entprise magazine
SOX only applies to publicly held companies. Private companies are not bound by SOX.
You can hire an outside security firm that keeps $60K; splits the rest on hardware appliances
(with 50% markup) and their off-site monitoring. One followup around renewal time.
Or get a new security manager who keeps $60K; hires $36K assistant, spends rest on junkets.
Or a non-managerial IT person who assigns $50K for salary and the rest to hardware/software.
Next year loses entire software/hardware budget. Quits. Outside security firm called in.
First -- people don't value something until they think they need it; and that won't happen until they get burned.
Second -- it's excruiating to separate the wheat from the chaff; there would appear to be a glut of IT security "professionals" out there if their resumes were to be believed, but in practice there are only a few gems to be found in that buzzword-compliant heap.
I'm a computational biologist by profession, but on occasion have had to deal with various projects that involved some sort of security (be it in establishing secure external collaborations, or securing proprietary data in various analytical pipelines). I've seen IT security heads come and go and I've yet to meet one that I felt knew more than me -- and they should know MUCH more than me!
I've met several true IT security professionals -- people that reeked of healthy paranoia and a truly fundamental knowledge of how things worked and interoperated. But, I've yet to see one in the wild looking for a job, much less hired by any company I've worked for.
I think you're simply seeing blissful ignorance exacerbated by a confusing pool of self-proclaimed security professionals and a dearth of truly competent personnel. It's hard work, and the value of it simply isn't clear until it's too late.
Indeed, and there's nothing wrong with changing your background, etc. It's that most of the products out there that seem helpful in doing so actually contain nasty little tidbits.
:-)
To that end, I've been showing secretaries how to right-click on a picture and set it as their wallpaper (that and stressed the importance of not downloading other software to do so). Five minutes, and a whole lot less potential problems in the future. As a bonus for the secretary, she found a picture of her grandkids in her email and prefers that much more over the latest "fluffy kittens and puppies" wallpaper schemes anyhow.
Cubicle decorations never mailed your TPS reports back to an unknown third party, or caused your stapler to work really slowly
I was the sole IT staff. For a major city in the North. My budget was $500.00 a month for any supplies or needed items. I was able to initiate a Network that spanned the city (from nothing) running most if not all of the cable and connections, building servers, initiating a domain presence, and also coding duties. I made 1/3 of what I make now. Without any of the responsibility I used to have then. IT is a 'loss leader' and Business (especially government for some reason) does not seem to be able to justify the expenses required.
The people I reported to had no idea of what I was talking about when I submitted my requests for parts/pieces/assistance. They just wanted it done and done under the monthly 'Mad money' allowed.
You keep going until you die..."Me".
They left out what I feel are a few glaring deficiencies in the IT world, a lack of catering and free back rubs.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
"Also never delete the e-mail you sent."
Ah... Just ask the folks at Enron about that, certianly saved their arses...
Select from tblFriends where interesting >= 4;
As a non-profit, this particular hospital wasn't allowed to make money. Well, they didn't cut fees, and they definitely didn't hire more help, but they did open another huge, well-appointed, unused parking garage this year.
I will never, ever understand the kind of logic that made that seem like a rational apportionment of funding. Furthermore, I really don't want to. I don't believe pro-union hype more than the next anti-union guy, but some of their complaints are legitimate.
Dewey, what part of this looks like authorities should be involved?
Security is indeed a thankless task, but if you manage it properly, you can get proper recognition.
First, one of the keys to security is Risk Assessment. Either do it yourself (using the OCTAVE methodology), or hire outside consultants to guide/mentor you through the process.
Next, learn a little about security. Join SANS, take the CISSP training/exam, or become an Information Systems Auditor (COBIT, CISA are relevant.)
I wrote a brief introduction to security (released under GNU Documentation License) for those who wish to learn the basics of Risks, Controls, etc. Just read chapters 1 and 2.
If you wish to start documenting your systems, check out my Database of Managed Objects.
It's also a great idea to make friends with the Auditors in your company. Find out what you can do to make their jobs easier. Talk to your Chief Security Officer (if you have one, then the job of security is halfway to success!)
As others in this thread have posted, DOCUMENT EVERYTHING. Always follow the chain of command (unless something clearly illegal is involved.) Don't violate your ethics, and keep improving!
--
cheers
Paul Gillingwater
Paul Gillingwater
MBA, CISSP, CISM
Those guys need to be held back a bit, otherwise we'd all be in straitjackets all the time.
A lot of early Internet development happened because there wasn't any security. Nowadays if you aren't using HTTP in a proxy-compatible way, you've got some 'splainin to do, and the answer will be "no!" even after that.
I agree they should close obvious holes that are being exploited, but not have the typical "guilty until proven innocent" philosophy.
Quite aside from wondering whether someone who apparently equates 'eye candy' for 'hard work' should even be in a position of responsbility, I suspect that somethign like 'The Spinning Cube of Potential Doom' makes an excellent persuader for such folks (see this posting therein in particular).
- White Knight of the Order of Mihoshi Enthusiasts