And this surprises you?
You're totally missing the point.
[skip the long litany of *other* things you could be doing]
If I'm doing security 30 hours a week, that's 30 hours a week I'm not available for other things.
In case anybody thinks that Valdis is somehow bragging, forget it. The many roles he is expected to fulfill are typical in a university environment. There *is* no such thing as "an intrusion detection specialist". Everyone in edu wears many hats - most of which are fulltime jobs in their own right.
And you can't weasel out by saying "Hire somebody else to do that other stuff" or "hire somebody else to do security" - the point is that if we did hire somebody else, then we'd only have 1 person of the 2 available for productive work. If we didn't have to keep spending resources on security, BOTH people would be available then.
That's won't stop anyone from trying though. They actually think "security" is the stuff you *should* be doing, not helping your users be more productive.
Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
