Joe Judge writes:
> So, I have to agree with Char: politics will place you more at risk than
> anything I've seen. No 6-week expert or 6-year expert will help when
> that politic silliness kicks in.
Definitely. I've come to the conclusion (reluctantly) that
without good management, it's impossible to have good
security. By "management" I do not mean "network
management" -- I mean "senior management" e.g.: corner
office suits. Organizations that do not have someone with
a clear technological vision and the power to encourage
cohesiveness cannot accomplish much from a security
Indeed, I am coming to believe that "policy" (the holy
grail by which computer con$ulants swear) is a bureacratic
cheap second to technology leadership. Which may explain
why LGOs (Large Government Organizations) have lots
of policies and procedures: they have no leadership and
lots of office politics. After all, the root form of "policy" is
the same as the root form of "politics"
I've seen organizations that have such ferocious politics
that it's impossible to secure them. I've seen organizations
that have too many smart people, each with independent
budgets and no desire to work together. I've seen
organizations that have no technical staff that are up with
the current technology, trying to implement security with
checklists and policies that are relevant to mainframes.
I've seen smart and enthusiastic technologists ground up
in the wheels of committees that are afraid of change and
want only the status quo -- even if the status quo is less
secure than the Internet. I've seen seen security people
"responsible" for security on a roll-out that they can't
stop or even make suggestions about, and I've been called
in to "bless" a configuration that goes live tomorrow, when
everyone knows there's holes in it, but management won't
listen. In short, I've seen countless cases of clueless
management right out of "Dilbert" masquerading as
technical problems. The technical problems are dwarfed
by the problems management and office politics cause.
(In the last 2 years, being "Senior Management"
I've realized that office politics are caused by lack of
decisive or sensitive leadership from above)
In short, I realized after a while that I was not really
a security con$ultant, I was a corporate $hrink. Amusingly,
psychology actually was my major as an undergrad... (this
was back before I started working for the Mo$sad) It
gets pretty weird when you can talk to someone for about
5 minutes and - based on an org chart - list 50% of their
current security exposures. :(
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
<A HREF=http://www.clark.net/pub/mjr/websec>New Book!!</A>