[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu Apr 27 15:17:48 2006
From: bkfsec at sdf.lonestar.org (bkfsec)
Subject: Should I Be Worried?
Sol Invictus wrote:
> And THAT my friends is why it IS so hard! People know that if its
> only one person that knows about it, sooner or later they will shut up
> and move on. If you're gonna watch your stuff anyway, why not contact
> the credit bureaus and put an alert on your file and then go FD!
>
> In the words of our fore fathers, "United we Stand! Divided we fall!"
>
> Thank you for being one of the sheep that makes the rest of our jobs
> harder.
>
>
Not everyone's cut out for that kind of responsibility. People have
different considerations and things that drive them.
The reason it's so hard is not for lack of talking but rather for lack
of caring. Having worked in both the educational and corporate world I
can say, beyond a shadow of a doubt, that what we say here doesn't
really reach them for the most part. It reaches software producers,
yes... and that was my original point. Appointment jobs are CYA jobs
and bandaids are better than fixes in those situations.
The best way to affect that kind of change is to change the corporate
culture -- which is a lot harder than it looks.
Many certified security professionals are taught that risk management is
all about cost versus loss. It's like in fight club... it's the
formula. a + b + c == x. If x is less than the cost of combined losses
then companies don't fix it because it's counterproductive. It's
roughly the same in organizations like universities only sometimes worse
because there are all manner of divisions of labor and decisions made
and deals appropriated that are there just for internal politics and job
security for certain individuals.
What has to be considered is the fact that cost, in this case, is from
the side of the institution. My bank account, for instance, means a lot
more to me than it does to my bank. To my bank, I'm a very small
percentage of the funds they hold. To me, my bank account is my ability
to pay my rent this month.
The whole situation won't change until the corporate culture changes to
stop being selfish and start considering the interests of the customer.
And we're a long way away from that happening, unfortunately.
-bkfsec
p.s. I understand what you're saying, though... that our voices
increase the combined cost to the organization driving them harder to
fix things... this is true... but many organizations will just try to
shift those costs back to you through legal means. We have to pick and
choose our battles.
Powered by blists - more mailing lists