It really comes down to what the priorities are in the company you work
for, and if you have an executive-level supporter of information security.
If you don't have someone up high that is going to fight for 'what is
right', you're doomed from the beginning until a security incident happens
- then you get blamed anyway. Nice, eh? Just wait till your company has
to go through a government compliance audit, a SAS*70, or a business
continuity audit - boy do eyes get opened. Talk about getting ammunition.
I feel very lucky that I work for a company that has taken a "Expediency
does not justify forgetting personal privacy/security" stance. I had a
bit of a battle on my hands when I took over as Chief Information Security
Officer, but through a little education and locating several 'champions'
within the company to help me with my mission - it has become a lot
easier.
If anyone wants any advice on making their company take security a little
more seriously, I'd be happy lend my experience.
Gary
-------------------------------
gary@linuxforce.org
http://www.linuxchimp.com
> Same thing happened to me. I found 10's of thousands of credit
> card numbers, names, addresses, mother's maiden names, etc stored
> on the web servers in logs - contrary to corporate policy. I made
> the developers stop logging that stuff. My contract was terminated.
>
>
> > PS: When did pinhead finance majors start making engineering decisions?
> > That is something that really bugs me.
>
> That is the way it works. At least in the two Big Corporations
> I've worked for as wellas the Military. It all comes down to the
> Benji's - someone has to pay for the screwups, and they have to
> weigh the cost to fix the problem against the benefit of that fix
> against the risk of not fixing it.
>
> Did you know that it costs $20,000 to change one page of a Navy
> Reactor Plant Manual. Needless to say, they don't change them
> unless it's important.
>
(text/plain)