Stop Disabling and Start Enabling
If information security is to ever have an ounce of credibility in a corporate world it has to stop disabling and start enabling. The days of hiding behind thick piles of self-scribed doctrine and exercising personal dogma laced with stupid egotistical power trips based on technology religion must end. If you talk to most (yes most) folks outside of information security in an environment where this culture is allowed to exist they will usually raise an eyebrow, get their heckles up or even laugh in your face. The locker-room conversation discuss the “thought police” and ways to not tell or involve security about what’s really happening: and quite frankly I don’t blame them. Why?
Because sadly some so called security folks are nothing short of dinosaurs and I suspect exhibit many of the traits above. This article in CSOOnline prove it.
Can you blame people? I often read things and laugh, sometimes I read them and get angry and occasionally I read things and don’t know what to say apart from “what “wibbly wobbly” planet do you live on?”
Maybe you would like to kill all cell phones as well? Lets face it they are really annoying. All those people talking and doing business while you try and read your newspaper with your drip coffee and Krispy Kreme.
Maybe that new fangled Internet thing should be shut off period? After all what’s wrong with paper and carrier pigeons?
I hope the author doesn’t work for a publicly traded company. If he does I am calling Kramer for a sell recommendation and I am serious.
As Dilbert once said ” I am not anti-business, I am anti-idiot”.
May 4, 2007 at 12:51 am
I’ve found that some environments really do not see much benefit to IM. But that’s really not the point of your post or my comment.
I’ve found that you can be someone who disables things and can get away with it, as long as your department also enables things for the business. Want to win that battle about locking down egress on the firewall or web filtering blocks? Also be sure to earn cred by enabling new technologies as the business and senior mgmt require.
I’ve also found that sometimes those “disablers” are people (or in companies) who have weak management skills or security skills. Rather than learn how to adapt and/or manage risk and people properly, they instead go with the heavy-handed approach.
May 4, 2007 at 12:55 am
I’m so glad you wrote this. I read the same article today, had a good laugh, and was all set to write a similar blog entry but got lazy and decided it isn’t worth my time.
Thanks for pointing out the ridiculousness of the article - you saved me from having to do it myself and a lot more people probably read your blog
May 4, 2007 at 6:51 am
What some security department think is that they are about “control”, and IM relinquishes that control. As we’ve said so may times, security is about the risk to the business vs the benefit that it gives - in many instances, IM is a great way to keep a semi-real time conversation going, and a great way to share knowledge/tap into the shared IQ.
However, there are sides to it - is IM appropriate in a SCIF environment where there is sensitive data that can’t be leaked. The answer I feel is obviously no. But in most other environments there are plenty of other ways to get data out (if that is the concern) or waste time (probably more so to some people ;)) so it’s a moot issue
May 4, 2007 at 12:12 pm
I built a jabber server on our management network specifically so all the operations folks could share information with each other. It’s one hell of a lot better than yelling dotted quads across the ops bay! It also fits with our incident response–open up a conference bridge and start calling people to join the bridge. Only now we have a virtual bridge in the form of an IM room to share information that doesn’t lend itself well to verbal explanation like packet captures, event descriptions, etc.
May 4, 2007 at 3:34 pm
Well, if you read the whole article, he says more than that, and acknowledges that IM is needed in some businesses. Read his whole post. I had the same reaction when I read just the quote you pulled from it, but a complete reading tempered my eye-rolling, if only just a bit.