It's all about "risk management." Most companies we work for aren't in
the business of selling security. They're in
the business of selling goods or services. Tell upper management they
have to secure something and it gets
in the way of adding to the bottom line? You better be prepared to
justify your position and to compromise.
Executives get paid to take acceptable risks. Our jobs are to advise and
give rational advice based on the
businesses we're in, AND then walk away and live with whatever the execs
decide.
Jason Wilcox
<[EMAIL PROTECTED]> To: "'Bill Husler '"
<[EMAIL PROTECTED]>
Sent by: cc: "'[EMAIL PROTECTED] '"
<[EMAIL PROTECTED]>
firewalls-owner@List Subject: RE: Off Topic: Upper
Management decision making
s.GNAC.NET
04/14/2000 12:14 PM
Bill this isn't just a question of someone taking responsiblity and
acknowledging their risks, it is a matter of your prinicipals and your
belief in what you do.
I too was recently faced with this decision and followed the advice of some
to make sure that they understood the risk that they were taking. They
claimed they understood the risks, and felt that it was worth the potential
gain. My job was to secure their resources and that made it impossible to
do
that. In the end I realized that I couldn't compromise what I believed was
right and resigned based on the fact that they were creating a risk that I
could no longer effectively manage.
I am not saying that you should quit and leave, and I don't advocate
leaving
your job because someone doesn't agree with you. However, there is a point
at which you cannot cross the line, you cannot compromise your principles.
No matter what someone signs saying they accept the risk, your the one who
is still responsible for managing that risk on a daily basis.
Jason P. Wilcox
-----Original Message-----
From: Bill Husler
Cc: [EMAIL PROTECTED]
Sent: 4/14/00 9:57 AM
Subject: Off Topic: Upper Management decision making
Has anyone here had occasion to face the situation where Upper
Management decides
to move forward in a direction against to the recommendations of the
group
responsible for data security disregarding their concerns? If so, what
did you do
about it? Did you write it up and ask them to formally acknowledge their
acceptance of the exposure? What form would this document take? Any
examples?
Bill
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
