On Fri, 14 Apr 2000, Bill Husler wrote:
> Has anyone here had occasion to face the situation where Upper Management decides
> to move forward in a direction against to the recommendations of the group
> responsible for data security disregarding their concerns? If so, what did you do
In a very recently past life I did that a fair ammount of the time.
> about it? Did you write it up and ask them to formally acknowledge their
> acceptance of the exposure? What form would this document take? Any examples?
While I don't have specific examples, I've always played my trump card in
a public company by outlineing the specific concerns and risks to someone
who would be considered a "Corporate Officer." It used to piss my boss
off *badly* that I'd corner _his boss_ with the "If you do this, it's
against my specific recommendation for the following reasons..." Followed
by a "The right way to attempt to do this class of thing is..." assuming
there's a right way.
You have to have a good and well-respected relationship with everyone
above you for this to work and not be immediately career-limiting.
A just before the last-ditch effort was generally to get the highest
person I could corner into a room and rant about threats, vulnerabilities,
perceptions, risks, etc. of whatever it was for as long as possible. That
not only worked, it got them able to not go down silly paths again. I've
always been pleasantly surprised with the CIO of a multi-billion dollar
corporation showed the ability to grasp technical, not just managerial
concepts and apply them to classes of problems that other departments
dream up without me having to go into defensive mode on their behalf.
Please understand though- this is the sort of thing that can destroy
careers in companies- especially if those in charge don't understand the
value you're bringing to the table. I was pretty lucky at my last job- a
good ammount of time spent pointing out why a lot of bad things hadn't
happened to us because of a lot of good things we were doing provided a
positive reinforcement mechanism.
Even in what I considered the best possible environment for me in a
company with a market cap in the $20 Billion range, I'm fairly sure I
almost got tossed at least twice in an 8 year period, and I almost quit
about a dozen times. I thought about it a lot more than that.
Your best bet is to document a more palatable alternative if possible (eg.
if it's a protocol issue, offer the offending dweebs a chance to get off
their butts and walk to a machine outside the firewall that gets scrubbed
each night.) If it's completely bad (e.g. "The Advertising Department
must spam the world!"), document the negative effects and place it as high
up the chain as possible.
Hope this helps,
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
