A "No Kidding" Risk Analysis

[Gary Nichols]

It really comes down to what the priorities are in the company you work 
for, and if you have an executive-level supporter of information security.  
If you don't have someone up high that is going to fight for 'what is 
right', you're doomed from the beginning until a security incident happens 
- then you get blamed anyway.  Nice, eh?   Just wait till your company has 
to go through a government compliance audit, a SAS*70, or a business 
continuity audit - boy do eyes get opened.  Talk about getting ammunition.

I feel very lucky that I work for a company that has taken a "Expediency 
does not justify forgetting personal privacy/security" stance.  I had a 
bit of a battle on my hands when I took over as Chief Information Security 
Officer, but through a little education and locating several 'champions' 
within the company to help me with my mission - it has become a lot 
easier.  

If anyone wants any advice on making their company take security a little 
more seriously, I'd be happy lend my experience.

Gary
-------------------------------
gary@linuxforce.org
http://www.linuxchimp.com

> Same thing happened to me.  I found 10's of thousands of credit 
> card numbers, names, addresses, mother's maiden names, etc stored
> on the web servers in logs - contrary to corporate policy.  I made 
> the developers stop logging that stuff.  My contract was terminated.
> 
> 
> > PS: When did pinhead finance majors start making engineering decisions?
> > That is something that really bugs me.
> 
> That is the way it works.  At least in the two Big Corporations
> I've worked for as wellas the Military.  It all comes down to the
> Benji's - someone has to pay for the screwups, and they have to 
> weigh the cost to fix the problem against the benefit of that fix
> against the risk of not fixing it.
> 
> Did you know that it costs $20,000 to change one page of a Navy
> Reactor Plant Manual.  Needless to say, they don't change them
> unless it's important.
>