Security Basics mailing list archives
Re: Re: security not a big priority?
From: cwwoods () mindspring com
Date: 19 Feb 2007 13:34:17 -0000
Francois, I have read the entire thread. Wow. --- We must be twins. :-) I have been experiencing the exact same thing on my job. But more so: - I was hired for Network Security by individuals it now seems really did not understand the concept. When I initially arrived, the attitude was that I would "secure" whatever project or action was taken. It took a while to get them to understand that I needed to be a proactive, included member of things from inception. - Not only do I report to a Network Ops manager, this person - who on one hand admits they have no security background - sets the agenda for how I go about addressing this area. There are constant conflicts, up to and including my recommendations and opinions sometimes not being heard because they are perceived as unnecessary, unrealistic, or obstructing progress. - I am the only person dedicated to network security. That is not necessarily a huge issue. The larger issue is that the perception is that I alone should somehow be able to do everything, and I should be able to do everything by myself. The last major virus outbreak we experienced, after a couple of days it became obvious that I could not scan EVERY cpu by myself. However, I was turned down when I asked for help (Our helpdesk was allowed to low-priority my CPU scan tickets.) And in the end, management was thoroughly displeased with how the whole incident was handled (took too long, users were upset, etc). Meanwhile, I was a wreck from having worked about 40 hours in a three-day period. ... An unwinable situation. - The entire IT dept is nearly completely reactionary. We have no CIO, and our IT leader is not seen as an equal by the other top-level executives. Basically, whatever requests or whims other departments want, we wind up trying to accommodate. Even if the wishes are counter-productive, redundant or will adversely affect the network. - IT does not seem to "talk" to the user community. It is almost like the goal is allow the users to do whatever they want, while IT does everything for them. Which would maybe be okay, except there is a culture of allowing the users to do darn near ANYTHING they want. I see a real lack of guidance coming from our IT department. I am leaving this position. I have been unable to figure out how to simultaneously write policies (there are none), plan strategy, fight the day-to-day fires and perform proactive, pre-emptive research and analysis by myself within a reasonable timeframe to keep up with the ever growing needs of the environment. Things fall through the cracks, mistakes get made. Although some colleagues are beginning to understand that they, too, must become more security conscience in the way they approach networking, still security overall takes a back seat. No one wants to tell the big bosses "no", that some of what they want is not feasible at the moment, or that some things will be delayed because we are trying to do them correctly now. Or tell them the real cost of implementing the latest whiz-bang technology without shoring up the holes that currently exist. -- Definitely, no one wants to say that mistakes were made in the past, and now we have to correct them in order to get bette r and move on. Francois, I feel for you. I, too, know that not all environments have to be like what you and I have (are) going through. The choice for me is to leave. I hope that you will be able to make your management understand that security is not one person's job. Rather, it is a way of thinking and doing business. To paraphrase the poster, network security is not a destination - it is a journey. Best of luck to you! Your "sister" for the cause, Claudia
Current thread:
- Re: Re: security not a big priority?, (continued)
- Re: Re: security not a big priority? Anonymous (Feb 15)
- Re: security not a big priority? Francois Yang (Feb 15)
- Re: security not a big priority? crazy frog crazy frog (Feb 15)
- RE: security not a big priority? Nhon Yeung (Feb 15)
- RE: security not a big priority? Craig Wright (Feb 15)
- Re: security not a big priority? Henry Troup (Feb 15)
- Re: security not a big priority? saltynetguru (Feb 16)
- Re: Re: security not a big priority? Anonymous (Feb 19)
- Re: Re: security not a big priority? Jax Lion (Feb 19)
- Re: Re: security not a big priority? Alexander Bolante (Feb 20)
- Re: Re: security not a big priority? Jax Lion (Feb 19)
- Re: Re: security not a big priority? cwwoods (Feb 19)
- Re: security not a big priority? steve . dake (Feb 20)
- Re: Re: security not a big priority? mehtaharshal (Feb 21)
- Re: Re: security not a big priority? Jason P. Rusch (Feb 23)
- RE: Re: security not a big priority? David Gillett (Feb 26)
- Re: Re: security not a big priority? Jason P. Rusch (Feb 23)