Security Basics mailing list archives
RE: security not a big priority?
From: Tony UcedaVélez <tonyuv () versprite com>
Date: Wed, 21 Feb 2007 00:03:58 -0500
Greetings, First, let me begin my expressing my sincerest condolences for the living hell that you are about to face within said educational institution. I have run into similar situations before and essentially, took one of two approaches. Either way, you're in for a long haul and nothing will be overnight. Essentially, begin from below or from above is the simple gist to my recommendations. Let me begin by saying your best bet will be to obtain endorsement from above, so I'll elaborate there first. The security job responsibilities that were handed down to your current position stemmed from some sort of defined need. Whether it was a sincere need to create a beneficial security change within the university or simply a 'check box' approach to appeasing some university constituents, you'll find out soon enough. Once you find out the true intent for having your security roles and responsibilities, there is only so much more security clout that you'll be able to push in addition. Finding representatives with more power and concern related to security will be your first priority. Establishing that level of interaction will provide for an open channel to creating change at a very important level. If they have a lending ear to your situation, you'll be able to bring to light some of the inadequacies of your immediate manager and portray a lack of support for your security efforts. That obviously will not go unscathed. Hopefully you're conflict tolerable, b/c it will be uncomfortable to be between two power points: your immediate boss and the person who you confided with (who presumably has at least 2 layers over your current boss - the higher you go the better). I will say that tact is key in interfacing with that level of a person. You don't simply walk into their office and lay down the problem. You'll have to spend much time social engineering your way into their life via personal or professional traits that will allow you to establish rapport. After that groundwork has been laid out and you're a point beside hallway pleasantries, any given conversation could give way to what is dear to your heart - actually acting on some of the security talent you have to make a value added change to the institution. Again, variables to success will be your rapport with this high ranking individual, you being notorious for good work, professionalism, diligence, etc amongst co-workers (regardless if their in Network Ops or not) or external customers. The alternative is to start below...with your immediate boss that is. This is tougher, but also requires some degree of selling or social engineering on your part in order to get into the comfort zone of your immediate boss and slowly prove the security importance over time. Some helpful points might be depicting your security projects as a manner to exalt him and his accomplishments. If he doesn't get security at all, use what I call 'industry parables' (Harvard likes to call them case studies) to get that shock-n-awe effect....essentially a collection of high profile security cases that involved similar institutions. Everyone loves a good story and hopefully those will be able to convey that his job is potentially on the line if he's been tasked with protecting student and faculty information in addition to info related to the institution. Lastly, as is the case with many inept managers who may feel intimidated with employees who know above and beyond their expertise, you'll simply have to give him the impression on several occasions that you're not out gunning for his job, but rather simply one of the guys who finds his expertise 'invaluable', 'inspiring', and 'mentor like'. It'll be humbling, but being the security altruist that you probably are, its part of the job and a necessary price to pay to do the right thing. Change will be slow and painful if at all. They'll be times when you want to truly convey the dire need for some security controls, but instead you'll have to sit and listen to his network war stories when he managed a zillion hosts via rsh, wrote shell scripts to ensure NICs were set to 100-full as a way to claim victory in capacity planning. Best of luck and may the force be with you. By the way, love the quote from B. Schneier in your signature. He's the man. Tony UcedaVélez, CISA, GIAC VerSprite, LLC (office) 678.938.3434 (email) tonyuv () versprite com (web) www.versprite.com -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Francois Yang Sent: Wednesday, February 14, 2007 4:33 PM To: security-basics () securityfocus com Subject: security not a big priority? So I have a problem and like to know what you guys think. I'm a Security Analyst at an Education institute. A community college to be more precise. So I was brought on board to address security issues and work on making this place a better place. Now the problem is. 1. I'm in the network operation team. no security group. 2. My boss doesn't seem to know much about security. 3. My boss doesn't seem to think highly of security since all my projects seems to be of low priority. 4. I have a long list of things that needs to be done and they are all waiting for the engineers to work on it. But again they have better things to do. So what am I suppose to do? look for another job? :) anyone run into this problem before? I'm at the point where I'm not sure what to do. Thanks. -- If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. Bruce Schneier
Current thread:
- Re: security not a big priority?, (continued)
- Re: security not a big priority? Francois Yang (Feb 15)
- Re: security not a big priority? Brian Loe (Feb 15)
- Re: security not a big priority? Nathaniel Hall (Feb 15)
- Re: security not a big priority? gerald_309 Gerald (Feb 15)
- Message not available
- Re: security not a big priority? Francois Yang (Feb 15)
- Re: security not a big priority? Jason P. Rusch (Feb 16)
- RE: security not a big priority? David Gillett (Feb 16)
- Re: security not a big priority? Isaac Perez (Feb 16)
- Re: security not a big priority? Aman Raheja (Feb 19)
- Re: security not a big priority? Sandip Wadje-Infosec (Feb 19)
- RE: security not a big priority? Tony UcedaVélez (Feb 21)
- Re[2]: security not a big priority? Adam Pal (Feb 23)
- Re: Re: security not a big priority? Anonymous (Feb 15)
- Re: security not a big priority? Francois Yang (Feb 15)
- Re: security not a big priority? crazy frog crazy frog (Feb 15)
- RE: security not a big priority? Nhon Yeung (Feb 15)
- RE: security not a big priority? Craig Wright (Feb 15)
- Re: security not a big priority? Henry Troup (Feb 15)
- Re: security not a big priority? saltynetguru (Feb 16)
- Re: Re: security not a big priority? Anonymous (Feb 19)
- Re: Re: security not a big priority? Jax Lion (Feb 19)