Security Responsibility Without the Authority? 206
Slashdot reader jamie submits this story about security administration. If you have the responsibility for security without the authority to make changes, your only role is to be the fall guy when something goes wrong.
On the other hand (Score:5, Insightful)
Re:On the other hand (Score:2, Funny)
Re:On the other hand (Score:2)
Re:On the other hand (Score:5, Interesting)
From the article,
Upper management often issues orders such as "Clean up the system at any cost!" Yet when these same managers get recommendations for pre-emptive security implementation, too often chief information security officers are told, "The budget for this quarter has been exceeded. Ask me again later in the year."
Information security is a challenging and technologically rewarding profession. Unfortunately, those responsible for carrying out information security often are not given the authority and budget to get the work done.
http://www.gao.gov/new.items/d02627t.pdf [gao.gov]THere is the definition(pdf) of the Homeland security Dept's responsibility charter, for want of a better word
From another source, possibly not popular in these circles, is a paper on "Security Considerations for Information Security"http://www.microsoft.com/technet/security /bestprac/bpent/sec2/seconaa.mspx [microsoft.com]
An excerpt:
Re:On the other hand (Score:5, Interesting)
He saw that he was being set up for the "fall guy" position... you know it when it happens, "you are responsible for all security", ":Oh, we have no money for your department, you can not impliment that security policy, no not that either,...."
for his last year he recorded all conversations with superiors, printed out and kept (against company policy) all communications with superiors and even kept recordings of voice mails on his company phone and personal cellphone.
well it collapsed, we were rooted hard, and when they looked for the fall guy, hew was ready and took 7 of the companies managers and executives with him flaming to the ground.
BTW, his tactics earned him quite a bit in a court settlement with the company. be sure to give all that information to your lawyers also... they love that kind of crap.
basically, document everything, and under NO circumstances trust your bosses.
Re:On the other hand (Score:3, Informative)
Funny part, I saw him here about 24 months later, we hired his company!
As for the managers and executives, I do not know.. All we know is that about 30 days after the lawsuit their offices were empty.
Re:On the other hand (Score:4, Insightful)
Never mind where this came from. Although it sounds good, it's the sort of platitude that can easily mean the opposite. That's because when you make everyone responsible for something, that means that no one is responsible for it. The buck doesn't stop anywhere, so when there's a lapse, the responsible party is arguably "everyone", and those who simply do not have the authority to take responsibility for security (which is most)... won't.
Re:On the other hand (Score:4, Interesting)
Kierthos
Re:On the other hand (Score:2)
Re:On the other hand (Score:5, Interesting)
The way we have started facing this problem is confronting the end user and the people that setup the misconfigured equipment saying: "you must work with us in fixing this problem, or we will disconnect you from the network and you can find your own ISP". That pretty much gets their attention and allows us to set security policies, firewalls, system/application patches, and virus protection.
Yeah, its not the optimal solution. We really need a single head person who can enforce security policies totally over every section, but that is difficult in the open environment of higher-ed.
Re:On the other hand (Score:3, Insightful)
Have you inforced network-level (router + firewall) segmentation yet? (Ex: Systems A & B and B & C can see each other, though not A & C.)
Re:On the other hand (Score:2, Informative)
A while back we had a user bring in a sasser-infected machine from home and plug it into the netw
Re:On the other hand (Score:2, Interesting)
They've had a bunch of students complain,
Dictatorship (Score:2, Insightful)
Re:Dictatorship (Score:5, Insightful)
In IT, more often than not, security has to come first, and people's feelings come second - we are talking are personal information being passed around. How do you propose running a network where the emphasis is on sharing and being nice instead of enforcing strict security policies. Go to a warehouse - the physical security of that warehouse doesn't care if you are a nice person or not - they are going to make sure to enforce the security policies on you the same as everyone else. The same idea applies to data security.
Re:Dictatorship (Score:3, Interesting)
Users' primary interest is having widgets to do their work. Infosec's interest is about protecting existing widgets. The adversarial relationship tends to come in place when deploying new widgets, or m
well, duh! (Score:3, Interesting)
That's what having a fall guy is all about. Someone has the authority to fix the problem, but no real clue or budget. Enter the fall guy. Upper management "concentrates on the company's core business" while the fall guy eats the blame.
It's not something that can work forever. How many years can you go to the share holders with bloated IT budgets? Wall Street replaced their core infrastruct
This is not specific to IT (Score:4, Insightful)
When I was in the army 20 years ago I had the "responsibility" to get a bunch of guys to move some furniture. Unfortunately I did not have authority over these troops since they belonged to another division.
Re:On the other hand (Score:4, Interesting)
Authority (who's the boss) is usually assigned for political reasons. Reponsibility has more to do with ethics and capabilities.
When the boss is incapable of doing a task, then clearly, some underling bears the responsibility when things go wrong.
Conversely, the people with highly developed sense of ethics and professionalism step up to the plate, work to make the project work and essentially take responsibility.
Theoretically, it is possible to give authority to the people who take responsibility.
This might cause problems for a company...it usually doesn't tarnish the teflon coat of the people in charge. For that matter, when a company sees a manager with authority and no responsibility, they generally respond by expanding his authority.
This is by design (Score:5, Interesting)
This was the reason (Score:5, Interesting)
Doesn't matter that Redhat and everyone else offer support.
Re:This was the reason (Score:2, Interesting)
It's all political. (Score:5, Insightful)
It's about being able to say that it isn't YOUR fault. You did what EVERYONE ELSE was doing. Then you pull out the magazines and articles about how whatever just happened to you has been happening all over to other companies.
In many companies, it is more important to not be blamed for a problem than it is to be the one who solved a problem.
Re:It's all political. (Score:3, Insightful)
In many companies, it is more important to not be blamed for a problem than it is to be the one who solved a problem.
Fuck 'em. I want a company that's interested in getting the job done right, not playing stupid blame games when they screw up.
It's still political. (Score:5, Insightful)
Politics happen in companies. Politics happen anytime you get 3 or more people working together.
It all comes down to different people having different agendas working together in a company with limited resources.
The sad thing is that once your technical skills are at the "minimally competent" level, you'd be better advised to learn corporate politics to further your career.
A technical genius without political skills can be used and abused by a mediocre technologist with good political skills.
Re:It's still political. (Score:3, Insightful)
In which case, you need a boss who understands the politics and is ACTIVELY working to counter them AND has the support of HIS boss.
I am familiar with the need for a champion (connected person pushing for your project), and the current place I'm at is so very bad at this stuff. I'm mostly venting.
The sad thing is that once your technical skills are at the "minimally competent" level, you'd be better advised to learn corporate politics to further your career.
Got any pointers? This technical genius w
Know your enemy. (Score:5, Interesting)
I'd also recommend "The Prince" by Machiavelli. Also, take a few MBA courses. It helps to know how they think and what their phrases actually mean.
But no book will ever be able to replace the insights gained from person-to-person interaction. You have to learn how to be "friends" with people who annoy you and how to manipulate them into supporting your agenda. That takes practice and you shouldn't practice it at work. They probably already know it better than you do and will be able to spot your amateur attempts. Instead, look at non-work groups. Your local church is a great place to start. They are usually packed with inter-personal relationships and petty politics. A friend once gave me this bit of insight: "The politics are so vicious because the stakes are so small".
Politics is about manipulating people to achieve your agenda. Before you become good at politics, you have to be comfortable with that.
Re:Know your enemy. (Score:2)
They are usually packed with inter-personal relationships and petty politics. A friend once gave me this bit of insight: "The politics are so vicious because the stakes are so small".
The first time I heard that, it was in reference to university machinations.
Re:It's still political. (Score:2)
Psychology in general is a pretty good field to study. Unfortunately, filtering the wheat from the chaff is difficult, so to be
Re:It's still political. (Score:3, Funny)
I've seen it happen with just two. If you have multiple personalities, or if you take on multiple roles you could manage with just one. In that case, politics are better known as headaches.
Re:It's still political. (Score:3, Insightful)
Thats my career plan!:-) No seriously... I see so many bright and capable people who can't play the politics game and get ground to wheat because of it. I'm good at the technical aspects, but some of these people are so much better than I am. So I figure that in return for protecting them and getting them what they want and need, I'll get them to do great things for me.
--Cam
Re:It's all political. (Score:4, Interesting)
If reading slashdot is any indication there are an awful lot of companies in the US making decisions based of really stupid and irrational criterea. I have heard many times "we didn't go with X because there was nobody to blame" and "we didn't go with Y because SCO might sue us" type of totally idiotic reasons. Why is that? Is Harvard business school or joe blow MBA mill really producing management that is unable to assess risk and intelligently apply reason to their decision making process? Think about it.
I wonder if this is some sort of an American thing. Are people in Europe and Asia making decisions like this? If not we are about to get our assess kicked awfully hard.
Re:It's all political. (Score:3, Interesting)
Ciao.
Re:It's all political. (Score:5, Insightful)
civil legal matters (Score:2, Informative)
If it is a company you do business with, send them a letter-snail mail, registered, notarized whatever, in advance to that effect. Not a threat, just a reminder that they have alternatives, and it's in their best interest business-
Re:This was the reason (Score:3, Insightful)
I'd say more often the exact opposite is true. People choose Linux because of the general perception that it is the more stable, more secure choice. After a rooting the security admin can proclaim "All the press and the community said it was the greatest thing since sliced bread...I don't know what went wrong!"
Given all the bad publicity Microsoft has (deservedly) received, it is a huge risk for architects and security admins to choose Windows -- when things go wrong everyone can immediately c
Re:This was the reason (Score:3, Insightful)
But what exactly does that get you? If it goes down, do you plan on suing the vendor for damages despite the gibberish in the license? If the vendor is microsoft, do you expect to be successful in suing one of the world's richest companies? I don't think any software company has ever been successfully sued for damages before.
I just don't get how being able to blame Microsoft is any different from
Re:This was the reason (Score:2)
Since everyone knows that whole "do things the same and expect different results" def'n of insani
Re:This was the reason (Score:2)
Ok, but how is that different from going to the board and saying "hey, it's not MY fault - Joe Blow wrote some lousy code."?
Re:This was the reason (Score:2)
Second, "everyone" uses Microsoft. That means when a problem happens, everyone gets to stand up and say with one voice "Microsoft screwed us over". If you read in trade mags
Re:This was the reason (Score:4, Informative)
Re:This was the reason (Score:3, Insightful)
Re:This was the reason (Score:2, Insightful)
terminology (Score:4, Funny)
It's all about preconfiguring the blame
In the field of enviornmental compliance, the person 'in charge' is known as the 'designated inmate.'
this can be a 'good thing' .. (Score:5, Funny)
Re:this can be a 'good thing' .. (Score:3, Funny)
Ahh, Tibor, how many times you've saved my butt."
Re:this can be a 'good thing' .. (Score:5, Interesting)
It goes like this at my job. I am "in charge" of network security and maintaining our Microsoft and Linux servers. You would think that my office would be located at the central office where all the servers are. This is not the case. Instead my boss, the IT manager, is located at the central office. Whenever he thinks something is not working right he makes changes to our production servers during business hours. My boss has no training in IT security. He's an MBA that has limited knowlege in security but thinks he knows more than he does.
Here's how most situations go. One person calls and complains that the finance database is slow or our inventory database is not working correctly. My boss then logs into the server and makes changes without documenting anything or telling me. You can image what happens next. Yeah, I get blamed for problems that occured after he changed something. I then have to go back and try to trace what he did. I know I can't ask what changes he made since that might seem like I am blaming him for the problem he created.
After going through this senario four times I decided to remove his login to our production servers. Big mistake.
I got a call from my boss two days later asking why he couldn't login to our production servers. I had prepared ahead of time and had a story made. I told him that I had noticed someone was logging in to our production servers and making changes during business hours which is against our IT policy. I went on saying that the changes made during these logins were responisble for the problems. I then told him for better security I should keep his account off the production servers so that the person who was making changes could no longer do so. He then said, "In the future could you please let me know when you make changes so we can be on the same page." I told him that I always documented the changes I made in the server logbook. I told him that I would reactivate his account with a different password. Since then he has not made any changes to the system.
Sarbanes-Oxley Compliance (Score:3, Interesting)
Re:this can be a 'good thing' .. (Score:3, Interesting)
I use a multi-pronged approach to keep the other admins under control:
Overall, it works pretty well. (I think) I know about every change that happens to my systems. At least, strange stuff doesn't happen without an audit trail to figure out who was responsible.
Disclaimer: if you're one of my cow-orkers, please assume this was written in regard to one of my other system
Re:this can be a 'good thing' .. (Score:3, Insightful)
Should be obvious but... (Score:2, Insightful)
Absolutely no good can come out of this situation except as a blurb on your resume. i.e. Was responsible for network security at firm with more than 500 computers for the last 6 months.
Re:Should be obvious but... (Score:2)
False priorities (Score:5, Insightful)
Basically, you're stuck in a bad position : management yell at you if anything goes wrong, Finance is annoyed by your constant demands they see no 'use' for.
Of course, not every business works this way. But it tend to when the company gets too large...
Re:False priorities (Score:2)
That was the first thought when I read the post. It's a very old idea in politics (not "politics" like government, but as in the subject of study relating to social power): never separate power and responsibility.
Whenever making someone responsible for some duty/task, always make sure you're also giving them the power to fulfill that responsibility. Otherwise, you're just setting them up to fail. Power without responsibility, on the other hand, is guara
Double-edged sword (Score:5, Insightful)
Usually in a company, IT department takes care of the adminstration of IT-related stuff, and HR takes care of the rules/policies.
If these two departments don't compliment each other, that's the problem to be fixed, instead of mixing two different roles together.
That's my personal experience anyway, I find it easier to tell the users to take to HR (or vice versa) than having to deal with (punish) or explain certain policies to users.
Re:Double-edged sword (Score:2)
Re:Double-edged sword (Score:4, Insightful)
So all of the actions you alluded to in your comment (password length, firewall rules, etc.) would be the job of IT (or IT Security) to enforce, whereas the the writing of the IT policies would be the responsibility of the HR department (with participation of IT technical resources from within or outside the HR department). This is usually the way it works for physical security in most large organizations.
---
Re:Double-edged sword (Score:2)
As long as the enforcement department is only responsible for enforcing the policies as written, no p
Re:Double-edged sword (Score:2)
Why would HR be setting computer security policies? Is this common? Has HR become so powerful?
Re:Double-edged sword (Score:2)
Re:Double-edged sword (Score:2)
It looked to me that it is like asking a janitor to sweep up before hours but not allowing him/her a way into the building.
cliches in this industry (Score:5, Funny)
My favorite phrase is "... working hard to ensure this never happens again". We usually hear that within 4 hours of a customer calling and using the phrase "you people". "You people lost my database again!" "We can assure you we are working hard to ensure this never happens again". We've had a 0 dollar buildout and maintenence budget for 4 years. They actually get MORE surprised each time something breaks, cause we're supposed to be getting better at using the tools we have.
Ok here's a different question -- anyone ever had to use their own property to band-aid something within the company about ready to explode?
Re:cliches in this industry (Score:5, Insightful)
anyone ever had to use their own property to band-aid something within the company about ready to explode?
Don't ever do that. If you do, then they think their current budget is fine, so they won't pony up the next time, and, should you ever leave, how are you ever going to retrieve your property?
Re:cliches in this industry (Score:2)
Re:cliches in this industry (Score:2)
Yes, I've used stuff from my own junk box to keep stuff running at work. I've also made the occasional run to Radio Shack or the local electronics store for a part. That's what happens when you have a severely dysfunctional purchasing process.
These days, I'd just say "fuck it". The organization treats you like a disposable part, why do them any favors?
You've got to be kidding! (Score:3, Insightful)
That's like working for free...and probably about as legal. You need to suck it up and tell the boss "we need this piece, and if we don't get it, Bad Things(tm & C ) will happen."
And document it to within an inch of its life.
that way, when the witch hunt starts, you can whip out those docs from your own personal Pearl Harbor file and show that you knew what you needed, and were told to sod off.
Holloway's laws
Re:cliches in this industry (Score:2)
Whenever something goes wrong in a business environment, there is a fight over who gets the blame. Whenever something goes right, there is a fight over who gets the credit. The person actually responsible is rarely the victor, in either case.
CSO Magazine (Score:4, Interesting)
I've seen this first hand in our midwest US city, where the requirements for most security positions are a MCSE and a CISSP with little to no interest in management and policy-level expertise. IT security has very quickly become a janitorial position. Senior management has punished IT for excessive spending by gutting it of senior level representation (to the benefit of other empire building projects, typically).
Curiously enough, these companies are sitting ducks for your run-of-the-mill script kiddie. From putting unencrypted backup tapes on the top of file cabinets in highly trafficed hallways (at one database company that I've worked with) to believing a firewall and antivirus is perfect security (to several of the larger banks I've met with on security projects), they're complacent and believe IT security is just another IT "dot-com money wasting project." Better to spend the money in the profit centers and ignore defensive protections as the lack of a serious attack means they'll never experience one. Little do they realize, the only reason they haven't been attacked is that there aren't enough hackers to take all the easy pickings.
MCSE + CISSP (Score:2)
Re:CSO Magazine (Score:4, Insightful)
one word : document (Score:5, Insightful)
position or 'the target' should things go wrong
that are beyond your control ( whether due to
lack of authority or lack of omniscience ),
Document, Document, Document
diligence, report any possible vulnerabilities,
suspicions of attack and recommended changes to
your immediate boss, your IT/CIS team and their
managers. Be public, but don't be patronizing.
This 'paper trail' will help you immensely should
you be terminated over some security breach should
you be able to prove that, were your suggestions
implemented, the breach could have been prevented.
Security work is ridden with chance : if there is
a flaw in the hardware or software that had not
been documented at the root of a breach, report
that this is a new issue with that particular
system and that a patch is available and has ( or
should, if you lack even the authority to patch )
be applied immediately, or that a patch is not
yet available. I'm not a litigious person by
nature but I wouldn't hesitate to sue on the
grounds of wrongful termination if i could present
evidence that i had made those in power aware of
the problem and had not received authorization
to make the changes that would have prevented the
breach.
If you're the security guy, you Are the fall guy
by default, but if you don't leave a document
trail behind to show due diligence you will have
no cushion for your fall.
Follow the same basic guidelines that the medical
profession uses - document anomalies, perform
frequent monitoring, document changes. All of
this will help greatly should you be in the
unfortunately position of having to take legal
action against a former employer.
That this is necessary is sad, but it Is
necessary.
Re:one word : document (Score:2, Funny)
And...? (Score:2)
In this case the company is paying someone to take the fall when they have a security problem. If this person doesn't realize it, then they are clueless.
Quite a few people in this position are probably content with it because they get paid to do nothing. The trade off for that is crappy job security.
Those tha
that's funny. (Score:2)
No one takes blame when their software does not work or loses your data. The clues are:
Comment removed (Score:5, Interesting)
Re:amazing how one person resigning causes FUD (Score:3, Interesting)
1. The biggest problem is that the people doing the work don't know what they are doing. At my company, less than 10% of the people doing certification analysis have a technical background. On the project I was on, only myself and one other person (the rep from the SW developer)
Re: (Score:2)
Re:amazing how one person resigning causes FUD (Score:3)
This guy has a political problem and that's why he resigned. Everyone wants to make a big splash when they don't get along with their cohorts. Only the classy ones keep their mouths shut. This guy isn't one of those, apparently.
I a
Re: (Score:2)
Re: (Score:2)
Re:amazing how one person resigning causes FUD (Score:3, Informative)
1. The process of getting applications approved is so slow and onerous that people just install the apps on local machines w/o the knowledge of IT. If they didn't, work would never get done.
2. Their network 'accredited'. So it's like everyone else's. Big whoop. They block outgoing ports, like ssh 22. That's just a pain in the ass. So I have to ru
Re: (Score:2)
Re: (Score:2)
Security is everyones responsibility but ... (Score:4, Insightful)
Any time security goes amuck... look to management as the culpret. If anyone points fingers at anyone else but management they really don't know too much.
Management has the political power, the money and the fudiciary responsibilty.
And if they don't know the assessed level of their security and security requirements, this then means they aren't doing their job.
*NEW* Assistant Secretary (Score:2, Funny)
Depends on the situation (Score:4, Interesting)
There is nothing that police at all levels love more than taking down big rich guys.
Pity the poor Security Admin (Score:4, Interesting)
What the result is, anyone can guess: password rules so byzantine that no one can log onto production systems when sev1 issues occurr, sysops waiting three days for product tapes to be logged in and mounted, security changes being made willynilly with no change control management instituted, gateways which serve no data being loaded with full blown virus scanning software, bleeding edge maintenance being forced onto hardware and users not ready for it because it included some security fix of doubtful worth, managers not knowing the IP addys of their own *&#@ servers.
What else is the result: passwords being taped to the bottom of keyboards, users being covertly supplied administrator rights to databases and servers, sushi programs installed by everyone, hacks programmed into apps to slip data through firewalls, and entire job streams running under one userid.
Pity the poor security admin.
Security led at the VP level (Score:5, Insightful)
I used to work at a major financial services company. This was just as commercialism was just discovering the existance of the internet, so I was hired to design and deploy their high speed redundant connectivity. One thing this company did right, I think, is that all of their security was focused through the VP of Auditing, who reported to the CFO. And the guy who had this position was smart enough to know he knew very little about security and had to learn. I actually got to teach him more about it. We formed a group of people (at my suggestion), including another network engineer, two accountants, and one of the staff lawyers, as the security committee. His original mandate was network security. But in our first group meeting I gave a presentation on one of my long long ago hacking efforts (back in the mainframe days) that successfully broke into a major insurance company's three mainframes. I explained to them how I did it using entirely social engineering. Of course I had knowledge of the system, but I didn't utilize any bugs in the system to get in. With this I was able to get the group to change the focus of security from one strictly focusing on computer technology, to one that would be applied to everything the company did. Software bugs and misconfigured servers are, of course, important, but people are the weakest link in security, and this is even more so the larger a corporation is. Every operation of a company must consider security across the board.
It all depends..... (Score:2, Informative)
Re:It all depends..... (Score:4, Funny)
We finally found what his job was when government auditors showed up. He was the company scapegoat. He got 9 months off work -- with pay. Within a month of coming back they announced he was retiring -- golden parachute, full pension.
I wanted that job!
CYA or get another job. (Score:4, Insightful)
If you do your CYA bit well your boss will follow with his CYA bit and eventually someone will sign a check or the memos will stop with someone stupid enough to take the fall. Otherwise you don't want to be working there. Works no fun if you can't do your job.
If you don't like the CYA game, spend the time and effort you would put into implementing your recommendations into finding another job.
Life's not that difficult!
Stupid IT Policies (Score:4, Insightful)
There's a better definition (Score:5, Insightful)
Relate this back to the industry. You're either at the top-level or you're in the trenches. A good security admin will bridge the two as best he/she can. Security fundamentally affects (and is affected by) almost every facet of an organization. I've seen through personal experience a "silo-like" mentality to security policy execution. The secadmins were in their own private bubble that attempted to be dictatory and impervious to external influence. This is wrong, wrong, wrong!
Unfortunately, the needs of the job amount to being a little political. The decisions must be participatory, or at least giving the appearance of being participatory. That is what gives you buy-in from your users. You might say, "Why should I?" Well, if you're saying that, then you might want to find another job. Its a necessary evil if you care about keeping your org secure. If not, you might be the one complaining after the fact, "They never listened to me". Even if you're merely sitting there explaining why you are doing what you're doing - at least people are involved. You might even be giving them bad news, but at least you're telling them that you're giving them bad news before you change their lives. The real challenge here is finding the right people to involve. :-)
Good security as much depends on the "how" of security versus the "what" of security. If your methodology is technically correct, cheap, and does the job, but you've dumped it on the organization, then guess what. It ain't gonna fly!
The article, in its efforts to be concise, has not really justified its claims. Trying to sway the course of one of the largest governments in the world indeed sounds like a recipe for frustration, but does not necessarily map back to the industry in general. Those seem like radically different things. I remember Richard Clarke seeming positively perky during the days of his assumption of cyber-security czar role. Look at him now.
illusions (Score:3, Insightful)
most security is useless... (Score:5, Insightful)
The US thinks that taking nail clippers from passengers makes air travel more secure. It doesn't but it looks as though it might.
Most computer security looks outwards to the internet, forgetting that the biggest threat is sitting inside the firewall.
We are all surrounded by pretend security that is in position just because it looks good. Real security is a pain in the backside. It is disruptive to the people who have to work with it and it's very expensive. It's also complex and difficult to implement.
If the security officer in a company cannot overrule EVERY single person in the company on a matter of security, the job is a joke and exists merely as a butt-covering operation.
Re:most security is useless... (Score:4, Insightful)
If the security officer in a company cannot overrule EVERY single person in the company on a matter of security, the job is a joke and exists merely as a butt-covering operation.
This would be true if security was the overriding concern, the ultimate goal. It isn't. It would be true if the cost of security breach was infinite, but that is not so as well. So it is an entirely legitimate question to ask: should we accept the risks at our current level of security, or spend more on tightening it (in the form of direct expenses or lost productivity). There are other ways to mitigate against risks (redundancy, insurance, etc). If at the end of the day you can come out ahead by accepting the risk, that that is the correct thing to do. Security officer is not qualified to make this judgement.
been there.. (Score:3, Interesting)
jack of all trades (Score:2)
Cheap way to increase security (Score:3, Interesting)
This would favorably impact the following
o Porn searching
o Cosmetic surgery searching
o Perv searching
o Joke searching
o Browsing slashdot at -1
The Slashdot model of moderating/censoring web page accesses would also be driven by the curiosity to see what your dodgy co-workers have been downloading.
One thing that one of my previous companies also emphasized was ensuring that machines have a password protected screensaver whenever a user is away from his/her desk. Another co-worker being able to hit porn from an open desktop would be a great motivation to lock up your desktop on restroom trips, coffee etc.
Most companies have policies on non-business use of machines, though these are seldom enforced with any vigor. Enforcing them through a peer mechanism like that described above might help to keep users and company networks safe from themselves.
--
Not just security... (Score:4, Insightful)
I refused -- not that it mattered, because the coders needed time to adapt beta code from a different project to this one--, and dropped by for a few hours on Sunday just to check on the status of things. Two weeks later we had a semi-functional prototype. Three months later it was still a lame cycle of the same crap.
Now I'm going to art school and painting full-time. The money sucks, but I never have to come in at three AM to cleanup after someone else's dumbshit idea.