In a message dated: Fri, 09 Mar 2001 19:10:22 EST
"Kenneth E. Lussier" said:
>And to tie these comments in with the issue of security...... To my
>knowledge, B&N has never been compromised to the tune of millions of
>customer data files.
"To my knowledge" is the key phrase :)
Also keep in mind last weeks revelation from the FBI that an Eastern European
ring of crackers has stolen more than 1 million credit card numbers over the
past year or so. What I haven't seen revealed yet is a list of *WHERE* they
were stolen from! (As a safety precaution, I called my credit card vendors on
Friday to have all my cards re-issued with new numbers :)
>Many of the .com's have had the same problem. They don't take
>security seriously, they get penetrated, so no one want's to buy from
>them. I'm sure there is a direct cause and effect there.
I don't know if I agree completely with that. I don't think it's that
they don't take it seriously or believe it's not important. Rather, they're a
start-up with a lot of pressure on them by VC firms and other investors to turn
a profit and go public so the VC firm (and the founders) can get rich and move on.
Therefore, there's generally:
A) more emphasis on making money
B) improving (or at least not impeding) productivity
C) going public
Taking security seriously, and making it the level of priority it probably
*should* be:
A) costs money that could be better (from a business perspective)
spent elsewhere
B) impedes productivity
C) requires hiring people who don't contribute to A) and
do contribute to B).
The name of the game in any business is first and foremost MAKE MONEY! That's
it, end of story. If you're not doing that, you're not a business by the very
definition of word. Small start-ups cannot usually afford high levels of
security because of how much it costs. This in no way means that they
*shouldn't* be concerned about security, and, IMO, any VC firm out there ought
to be making damn sure the companies they invest in *are* using some of their
money to take appropriate security measures. However, when you think about,
why would those in a VC firm be any more technically savy than those in the
management of any given company about these types of things?
>If a company want's to survive, management-types need to realize that they hire
>people for a reason. That reason being that they (the managers) do not
>always know what's best, nor do they know everything. That is why they
>hire specific people for specific jobs. There are very few people alive
>that know everything about everything. If management does not want to
>accept the decisions and recommendations that the technical people make,
>then they need to accept the consequences.
Well, on the flip side, the employees hired for specific jobs must also
realize that they are hired to not only do a job, but to provide
*recommendations*. They must then realize that those recommendations may or
*may not* get carried out or acted upon. At which time, it is the employees
job to move past those specific recommendations and get on with life.
When and if the situation comes up again, it is also the responsibility of the
employee to remind management about those prior recommendations, but only in
an advisory manner. If management continues to seemingly ignore those
recommendations, there's nothing you can do. Continuing to harp on the fact
that management is ignoring said recommendations, pointing out that one
thinks they are wrong, etc. does nothing but make the employee in question
an unwanted pariah. Remember, though the employee has the talent, the employer
has the power.
>The situation is only made worse by middle managers with delusions of grandeur
>that act as yes-men to upper management because they want to enhance their
>careers. If they don't relay the appropriate urgency from the technical staff
>to upper management, then when a penetration does happen, they won't have a
>career anymore.
Again, that may be true in some places (more likely large companies), but I
doubt it's that bad in most start-ups. Most don't have much if
any middle-management. Additionally, I would say that employees who are
unable to be diplomatic in their approach with management about security
issues are just as guilty, and more likely to find themselves in positions
where they are actually less able to help the company despite the fact that
they are technically quite gifted.
This does not mean that one should not bother to point out to management where
security can be enhanced, or what steps should or could be taken to make a
penetration event less likely to occur. They absolutely should. However, it
should be done in a diplomatic manner so as not to place the person in such a
position that management begins to tune that person out completely.
Additionally, management should also be willing to explain the reasoning
behind their decisions to not go forward with recommendations, or at least
recognize and thank the employee for their hard work and concern, but then
explain why this is not the right time to move forward.
I readily agree that management is guilty of poor communication and lack of
recognition towards their employees in the sysadmin/security positions. I
would also contend that more often than not, management takes the approach/
attitude that they don't *have* to explain their decisions to the worker bees
of the company, *because* they're the management. However, this is both naive
and ignorant. It also comes across to the employees as the ineffective
words they heard from their parents when they were 5; "Because I said so".
It didn't work when we were 5, why should it work now?
Answers or responses of this nature from management do nothing but alienate the
employee. Also, management would do well to recognize that people in the
sysadmin/security field are usually quite passionate, sometimes to a fault,
about their job. Alienating employees is not a wise business move in general,
but even worse in the case where said employee is responsible for the welfare
of the entire information infrastructure of the company. More than once
disgruntled employees have sought their revenge. Of course, this does the
disgruntled employee no good either, since in most cases, they're caught,
sued, and sent to jail or forced to pay large sums of money they don't have.
It additionally has the effect of completely ruining their reputation in the
industry, thereby probably ensuring they won't get another job outside the
field of burger flipping anytime soon.
A better response from management would be one which contained a reasonable
discussion of why we can't move forward with certain recommendations at this
time, or explain why the requested approach may need some tuning and tweaking.
The biggest problem I've seen as related to companies who do too little to
ensure their network security (or anything else for that matter) is usually
a quite simple one to solve. The problem itself is one of LACK OF COMMUNICATION
between employee and employer. Both take the attitude that they are right and
the other one doesn't understand.
The employee gets an attitude that management is technically inept and
therefore unable to understand the implications of the security problems.
The employer (i.e. management) gets the attitude that this sysadmin/security
nut is an overly paranoid, up-tight, punk who is completely inept in the ways
of business, and therefore unable to understand the implications of the
business impact their suggestions would have.
Both of these positions are usually right on the money. However, the fact that
both sides may be 100% correct in their assessment of the other party does not
accomplish 1 iota of anything!
Unfortunately, neither side ever wants to calm down enough to sit and discuss
these things rationally, and if one side tries (usually management, since they
usually have better social/people skills than we geeks :) the other side
(usually us :) is unable to remain cool, calm, and collected, and end up
letting our passion get the best of us. And we're right back to square one!
So, with this ridiculous and endless circle, it's quite easy to see why, with
all the other problems of over-worked, underpaid sysadmin/security people, a
lack of technically qualified candidates, and great job market, many places
never experience the level of security they should.
It's not a technical problem, it's a social one. And the sooner we technically
oriented people can realize that tact and diplomacy win more friends than
being right, the better off we'll be. And management will be thanking us for
it :)
And that is all I have to say about that. I now return you to our regurlarly
scheduled flame war :)
--
Seeya,
Paul
----
It may look like I'm just sitting here doing nothing,
but I'm really actively waiting for all my problems to go away.
If you're not having fun, you're not doing it right!
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
