I just had to step in here after reading this thread for awhile.
It is all very nice to to say that the security admin should have done this
or that. Risk matrix, fixes, etc. The bottom line is the CIO or CEO is
ultimately responsible for the corporation including security risks or
exposures. For the most part they just don't give a ____.
They will all say how they believe in security and it's value in the
corporation but all they care about is their year end bonus and a round of
golf on the weekend. A security incident or an overturned rail car or a
hurricane is just another business incident. It happens. They are ultimately
responsible and can be fired just like anyone else. The funny thing is that
management is easily more expendable than line workers these days. Stay in
the tech area and don't sweat the big issues because largely they are out of
control.
Retired security architect and a happy peeon. (Actually I just got sick of
the total bull at high levels.)
Network Guy
> -----Original Message-----
> From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, December 06, 2000 1:47 PM
> To: Ng, Kenneth (US); 'Ron DuFresne'
> Cc: [EMAIL PROTECTED]
> Subject: RE: NAI & McAfee website hacked.
>
> If you presented in a different way, as in providing an acceptable risk
> matrix.
>
> Here is how much to fix this issue hourly rate * number of manpeople *
> Value of Asset if broken into * number of manpeople to prevent it from
> happenning again = some value that a bean counter will recognize
>
> There is a lot more to it, but basically it starts off from there, it is
> called Asset Risk Analysis. Basically it allows one to present to
> management a nice little picture with a couple of circles and arrows with
> a
> paragraph on the back describing the bloody mess..
>
>
>
> /mark
>
> At 01:21 PM 12/7/00 -0500, Ng, Kenneth \(US\) wrote:
> >Did not matter. I had TWO REFUSED purchase order forms with my cover
> letter
> >explaining what it was for. There response was that it was my fault
> because
> >they were aware but they were not "fully aware". Thing is, at that place
> >they did not want to be fully aware because every time I tried to make my
> >case they said "your rehashing a non issue, you have more important
> things
> >to do". Bottom line was that the management at that place was like Bill
> >Clinton, do anything, say anything, rewrite history, no morals. That's
> one
> >reason I am no longer there.
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
