What Should We Do About Security Ethics?

An anonymous reader writes "I am a senior security xxx in a Fortune 300 company and I am very frustrated at what I see. I see our customers turn a blind eye to blatant security issues, in the name of the application or business requirements. I see our own senior officers reduce the risk ratings of internal findings, and even strong-arm 3rd party auditors/testers to reduce their risk ratings on the threat of losing our business. It's truly sad that the fear of losing our jobs and the necessity of supporting our families comes first before the security of highly confidential information. All so executives can look good and make their bonuses? How should people start blowing the whistle on companies like this?"

Suck my dongle

[photomic]

Did you ever think this environment was created because the security policies simply do not scale? There's a difference between best practices that keep information secure and having everyone use a dongle and a password that changes weekly to check their fucking e-mail. In my experience, also at a Fortune XX company, "security" is simply a one-size-fits-all plan to cover your ass, which usually results in the least convenient and productive practices possible for average Joe-user. For that matter, security "experts" are rarely experts in security at all; they've just survived the longest by sticking to kneejerk strategies. Because this is Slashdot, let me add that any shop that uses Microsoft in its security platform deserves a shareholder lawsuit. So there.