> The vast majority of IT executives are unfamiliar with all of the
> principles of security, firewalls, coding, whatever.

> The important thing to understand is that such principles are below
> their granularity; the[y] are *right* to not care about such
> principles, because they can't do anything about them.

Perhaps - but then, they have to stop second-guessing the people who
*do* know what they're talking about.  Trying to have it both ways -
management that is inexpert but nevertheless imposes their opinions on
design or buying decisions - is a recipe for disaster, and, while
hardly universal, is all too common.

I've never understood why it is that managers who would never dream of
second-guessing an electrician about electrical wiring, a construction
engineer about wall bracing, a mechanic about car repairs, will not
hesitate to believe - or at least act as though they believe - they
know better than their in-house experts when it comes to what computer,
especially software, decisions are appropriate, and use their
management position to dictate choices based on their inexpert,
incompletely informed, and often totally incompetent opinions.  (Not
just security decisions, either, though that's one of the cases with
the most unfortunate consequences.)

/~\ The ASCII                           der Mouse
\ / Ribbon Campaign
 X  Against HTML               [EMAIL PROTECTED]
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to