On Wed, 5 May 2010, Michael Tiernan wrote: > I am just saying that I (and who knows how many others) may benefit > from learning from someone more experienced in the process of putting > together a business case argument about something like this. I know > that when asked "Why?" about some of these things, my mind goes blank > because I have never thought about the problem from the point of view > of someone who doesn't think of it as obvious.
I know I have a huge amount to learn and I am making an effort to see things from the business side of things. Recently I have been explaining to various technical people why the production systems are being managed by a services organization and what some of the absolutely essential things that organization provides. Things like datacenters with lots of physical security policies and procedures in place that will keep auditors happy. Such issues are considered to be, at best, irrelevent by many technical folks, but absolutely esssential for working in a number of industries or markets. Unless the auditors are satisfied that various security requirements are being met, those aforementioned technical people won't have jobs. Unfortunately, this sort of situation can lead to making sure the form of security is met while the actual function is somewhat lacking. I have seen cases where the only security requirement was to "pass the auditors" instead of best practices. From a business standpoint, passing the auditors is essential, doing more than that is an extra expense that may not be justified in the eyes of non-technical management. Taking a CISSP prep class certainly taught me a lot about bridging that gap, but there is much more I need to learn. Ok, so I have been rambling. These are some of the issues on my mind and I expect some of the folks here may have valuable insights. -- Matt It's not what I know that counts. It's what I can remember in time to use. _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
