Sometimes it's almost comical (in a sad sort of way) how people just don't understand security no matter how much you preach it. Especially when many of those people are technical and they are supposed to be leaders and promoters of the IT program and even of security.
Case in point. In the last couple of months there have been 2 different conversations w/i my company that involve an individual (we'll call him Bob) with a position of influence and in each situation comments were made that just make me shake my head and want to find a hard object to bang in against.
The first conversation was around VPN access into our network for 3rd parties. Like it or not this is a part of business today. Gone are the days when we can isolate our selves and only allow employees access to our networks. Vendors need access to troubleshoot issues with their stuff, partners need access to be able to complete their jobs, contractors need access to work on projects. We do not have technology in place that will allow us to manage all of this centrally. This makes it a manually intensive process to ensure that we know who has access to what; when they are accessing it; why they are there; what they are doing while there, etc, etc, etc..... While I and my team were discussing ways to tighten this up the comment was made by Bob that we didn't need to worry about locking it down any more because if anything malicious was done we would find out about it via our monitoring and we could just sue the offending party. I'll wait here while you pick up your jaw and put it back in place.
OK, as you can imagine this went over like a lead balloon. I was speechless for a minute while I waited for him to crack a smile or something to let me know that he was just kidding. The smile never came. I looked around and saw the others in the room either putting their jaw back in place, holding back a laugh (not the good kind either) or staring off into oblivion hoping to find that peaceful place that they go to when life gets to be too much for them. Needless to say his idea didn't carry much weight and we were able to convince him that we really did need to control things better and that legal action was not the answer to our security problems.
After getting this "misunderstanding" straightened out I felt pretty confident that Bob had a much better understanding of security and what it is that we are trying to do. Then again maybe not. Fast forward a few weeks to a Change Control meeting yesterday. We were discussing a control that I wanted to implement to lock down some things on our systems that are not used (or at best only used by a few). Someone (not Bob) took exception to this because he actually used this. I told him that we would look at his and similar cases and make a case by case decision based upon their ability to show a legitimate business need. Then Bob chimed in. His comment was "We have a secure environment and it will get more secure as time goes by. Security is here to protect us and that means that it will be inconvenient for the user and that is OK with us".
NO, NO, NO, NO, NO, NO, NO, NO, NO!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Where in the world did he get that idea from? It wasn't me. I'm always talking about how my aim is to secure the environment while making it as easy as possible for the user to do their job. I'll admit that it's not as easy as it would be if there was no security at all in place but that's not really true either. It wouldn't be easier because the malware would make it all but impossible to use the systems.
So it seems that with some people you just can't win.
