RE: security not a big priority?

[Tony UcedaVélez <tonyuv () versprite com>]

Greetings,

First, let me begin my expressing my sincerest condolences for the living
hell that you are about to face within said educational institution.  

I have run into similar situations before and essentially, took one of two
approaches. Either way, you're in for a long haul and nothing will be
overnight.  Essentially, begin from below or from above is the simple gist
to my recommendations.  Let me begin by saying your best bet will be to
obtain endorsement from above, so I'll elaborate there first.

The security job responsibilities that were handed down to your current
position stemmed from some sort of defined need.  Whether it was a sincere
need to create a beneficial security change within the university or simply
a 'check box' approach to appeasing some university constituents, you'll
find out soon enough.  Once you find out the true intent for having your
security roles and responsibilities, there is only so much more security
clout that you'll be able to push in addition.  Finding representatives with
more power and concern related to security will be your first priority.
Establishing that level of interaction will provide for an open channel to
creating change at a very important level.  If they have a lending ear to
your situation, you'll be able to bring to light some of the inadequacies of
your immediate manager and portray a lack of support for your security
efforts.  That obviously will not go unscathed.  Hopefully you're conflict
tolerable, b/c it will be uncomfortable to be between two power points: your
immediate boss and the person who you confided with (who presumably has at
least 2 layers over your current boss - the higher you go the better). I
will say that tact is key in interfacing with that level of a person.  You
don't simply walk into their office and lay down the problem.  You'll have
to spend much time social engineering your way into their life via personal
or professional traits that will allow you to establish rapport.  After that
groundwork has been laid out and you're a point beside hallway pleasantries,
any given conversation could give way to what is dear to your heart -
actually acting on some of the security talent you have to make a value
added change to the institution.  Again, variables to success will be your
rapport with this high ranking individual, you being notorious for good
work, professionalism, diligence, etc amongst co-workers (regardless if
their in Network Ops or not) or external customers. 

The alternative is to start below...with your immediate boss that is.  This
is tougher, but also requires some degree of selling or social engineering
on your part in order to get into the comfort zone of your immediate boss
and slowly prove the security importance over time.  Some helpful points
might be depicting your security projects as a manner to exalt him and his
accomplishments.  If he doesn't get security at all, use what I call
'industry parables' (Harvard likes to call them case studies) to get that
shock-n-awe effect....essentially a collection of high profile security
cases that involved similar institutions.  Everyone loves a good story and
hopefully those will be able to convey that his job is potentially on the
line if he's been tasked with protecting student and faculty information in
addition to info related to the institution.  Lastly, as is the case with
many inept managers who may feel intimidated with employees who know above
and beyond their expertise, you'll simply have to give him the impression on
several occasions that you're not out gunning for his job, but rather simply
one of the guys who finds his expertise 'invaluable', 'inspiring', and
'mentor like'.  It'll be humbling, but being the security altruist that you
probably are, its part of the job and a necessary price to pay to do the
right thing.  Change will be slow and painful if at all.  They'll be times
when you want to truly convey the dire need for some security controls, but
instead you'll have to sit and listen to his network war stories when he
managed a zillion hosts via rsh, wrote shell scripts to ensure NICs were set
to 100-full as a way to claim victory in capacity planning.  

Best of luck and may the force be with you.

By the way, love the quote from B. Schneier in your signature.  He's the
man.

Tony UcedaVélez, CISA, GIAC
VerSprite, LLC
(office) 678.938.3434
(email) tonyuv () versprite com
(web)   www.versprite.com
 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Francois Yang
Sent: Wednesday, February 14, 2007 4:33 PM
To: security-basics () securityfocus com
Subject: security not a big priority?


So I have a problem and like to know what you guys think.
I'm a Security Analyst at an Education institute. A community college to be
more precise. So I was brought on board to address security issues and work
on making this place a better place.  Now the problem is. 1. I'm in the
network operation team.  no security group. 2. My boss doesn't seem to know
much about security. 3. My boss doesn't seem to think highly of security
since all my projects seems to be of low priority. 4. I have a long list of
things that needs to be done and they are all waiting for the engineers to
work on it. But again they have better things to do. So what am I suppose to
do? look for another job? :) anyone run into this problem before? I'm at the
point where I'm not sure what to do.


Thanks.


-- 
If you think technology can solve your security problems, then you don't
understand the problems and you don't understand the technology. Bruce
Schneier