Re: security not a big priority?

[steve.dake () gmail com]

Wow. I must have many twins out there. This is too much like my last position. They brought me in to "head the security 
program" and come to find out, they simply wanted a "security person" to be responsible for all security issues, but 
with no political clout or backing to do anything about it. 

I worked hard at developing the policy, and processes needed. Working closely with internal audit and creating a "C 
level team of security champions"  helped allot.

The IT area however, depended on two very stubborn junior level admins that wanted to continue to rely on smoke and 
mirrors as they had since the 90's. Their boss and friend (the IT manager) was also my boss which created a major 
conflict of interest - they chose to perceive security as something that interfered with the shortcuts they had relied 
on for years (like 3 character passwords that never changed..) - it required them to do something different. The only 
concept they had of security was AV and a firewall, and they did not want to hear anything more. It was a totally 
reactive culture that never planned ahead...That was a nut that I could not crack, and eventually gave up.

I hate to say it, but sometimes you have to leave uselessness behind and walk. I am much happier now working as a 
consultant. Its kind of amazing how you can write up findings and recommendations on the inside and no one takes it 
seriously, but as soon as an external consultant says the same thing, then bingo- now its a priority...

I did learn from the experience:I will now be very mindful of the org and reporting structure, as well as how employees 
are rewarded and other individuals' job descriptions. With out proper incentive, you can not get people to change their 
habits - even if they know its wrong.