Slashdot Mirror

← Back to Stories (view on slashdot.org)

Information Security and Ignorant Management?

Posted by ryuzaki0 on from the valid-concerns-falling-on-deaf-ears dept.

jmahler asks: "Suppose you work for a fairly decent-sized (but independent) CPA firm in the IT department. Suppose further that you have repeatedly warned the partners of the dangers of having unsecured laptops in the field, and have requested to replace the very thin, and rapidly aging line of defense (and functionality) currently protecting your network from all of the mean and nasty folks on the Internet. Let's continue, then, to suppose that the partners have all agreed to ignore every recommendation put forward regardless of cost or benefit. Is there a good way, beyond memos and emails, to inform the partnership that the water in which they tread could quickly become dangerous? What about absolving ourselves of responsibility for data theft and loss from a laptop 'disappearance' in the field?"

3 of 96 comments (clear)

  1. You did your job by Ckwop · · Score: 2, Informative
    Is there a good way, beyond memos and emails, to inform the partnership that the water in which they tread could quickly become dangerous?

    You're only paid to do your job and you did your job. If they don't listen to your advice that's their problem. Just make sure you keep copies of the e-mail you sent on the topic. If something "really bad" happens, then you can say you recommended X, Y, Z and they did absolutely nothing about it.

    Simon

  2. Re:Have you tried saying the magic word? by Scaba · · Score: 3, Informative

    And against accounting firms and CPAs.

  3. Re:Lots of wrong answers here... by sohp · · Score: 2, Informative

    That's well put. One way to approach it in discussions with management is something like this:

    1) Real infosec breaches that have happened, and the cost (cite the loss of VA data, or other situation, and the costs that the companies have paid, including things like picking up the cost of credit reports for a year, etc)

    2) Some real things we can do, right now, and what it has cost to do similar things at other companies.

    3) The kinds of user-visible "annoyances" that increased the suggestions will trigger, and potential costs and experiences for the transition. Be sure to acknowledge that change is always going to result in some short-term friction and negative feedback, and give examples of how that's resolved itself in other cases.

    After that, as the parent says, it's up to management to decide the cost/risk tolerance they are comfortable with, and if that differs from your own, you have a choice to make. Change jobs, accept their choice without reservation, accept their choice but continue a long-term dialog between your team and the business and resolve and respond to issues as they come up in ways that move towards your goals.