Security's Everyman

Security's Everyman

Thursday, August 23, 2007

Light on Posting

I've been light on posting lately because I've been heavy on busyness. Between work and family life it's been quiet hectic. I've got LOTS of projects going on at work plus we just finished our yearly IT Audit last week and that has spawned a few more.

One of the tasks that I've been given here is basically creating a information security program from scratch. It's a great challenge and opportunity but it's also a great time consumer. Luckily I've got some good friends who have given me some insight on what direction to take. I'm currently re-reading The Pragmatic CSO because it is basically about building a security program from scratch. I'm also working on a User Awareness Program, several new technical controls are being rolled out for which I have primary leadership responsibility. Luckily I won't have to do all the work on them. I have a VERY talented team of engineers to assist me with that.

I'm also still learning the environment here. There are lots of things going on in the network that are not documented. It's a weekly thing to discover new ones. Talk about a Security Professionals (dream, nightmare, challenge) You pick your favorite answer. :)

I also had a good scare and laugh yesterday. We have a partner that has a connection to our network and they have a DFS share that we access. They have been having problems getting people to connect to it lately. They have tried several things and finally found the answer. Their firewall was blocking some of our subnets. So they fixed the problem and then their server admin got the idea that it would make life much easier on us if we didn't have to "reauthenticate" to access the share. So he decided that since he had several new users to set up access for he would just have them give him their domain username and password. Of course we had a couple of users who did do this before I found out about it. Needless to say I made a phone call to him IMMEDIATELY. As I politely explained to him why this was not an acceptable solution to the problem he said that he understood and was only trying to make it easier for us. Then he said that he too was very security conscious and understood my position on this. OK, if you are so security conscious and really do understand then WHY did you do this in the first place? This just reinforces my stance that much of our User awareness training needs to focus on the average IT staff person.

Well, I've spent enough time here for now. Got to run and get back on these projects. I'll try to post a little more regularly from now on.

1 comment:

LonerVamp said...

Unfortunately, the average IT staffer is typically evaluated on their customer service, not the quality of their given solutions to problems.

In my current job, we have two parts to our main team: the desktop techs and us guys in the back server room and network. The desktop techs are almost entirely evaluated by how the rest of the company views their service. If they help someone quickly with little fuss by asking for their password, they will do it and get kudos for it...except within our immediate team where some of us will look askance at the practice. No education fixes that.

Likewise, my part of the team tends to push back on insecure or badly architected solutions. This reflects on our peer evaluations, even when our requests or denials are justified and we provide alternatives.

When people say IT should be business-enablers and work in conjunction with the business side, the dark side of that comment is that IT should be as stupid about IT as the business side oftimes is...

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.