On Tue, 1 Jan 2002, A Question wrote:
> Greetings,
>
> Beg your parden for sending, but I could use your
> advice.
[etc., etc.]
> The security for the network and servers I administer
> is NON-EXISTENT. This is not only fine with my
> superiors, but I have been told to not work on
> security anymore, as it is "un-important". The CEO
> thinks that it is secure because my CIO lies and tells
> him that it is.
[etc., etc.]
> appreciated. Also, after I leave, should I send a
> letter to the CEO about this?
Hi;
I would not resign/leave (at least not before I "hit the
honeycomb" -- sorry. Don't know how this expresion translates to
English :-)
I would write a memo _DIRECTLY_ to the CEO, in "mid/low tech
language", explaining him/her everything you stated in your email:
- Explaining the REAL situation of your enterprise security
- The IMPLICATIONS (specially the ECONOMIC ones :-) this situation
has for the company. I would write down some examples (kind of: "it takes
N hours/man to reinstall X servers...", "We're LOSING N bandwith because
of sec. vulnerabilities, which means N MONEY/MONTH...", etc., etc.)
- Detail some vuln. that you know have caused problems to the
quality of your services in the past. Would be grate if you can state any
clients you know you've lost because of the QoS.
- Detail the times you've advised your boss of these problems
(better if you have these documented) and show them the answers he/her
gave you.
- Explain that you were supposed to be in charge of all the
forementioned, but your boss _EXPLICITLY_ didn't allow you to do one
single thing in order to improve security.
- State that you know the CIO was lying him/her on these issues.
Finally, you should say that, if nothing is going to be done you
will resign for three reasons:
- You don't agree with the DANGEROUSLY WRONG WAY things are being
done.
- You don't like to work with a CIO that LIES and is clearly going
to use you as a scapegoat in case something happens.
- You consider it is worthless to lose your time in a place where
there is a evident lack of common sense, laziness seems to be the rule and
international standards on security and network management are foolishly
ignored.
Maybe you're lucky and they reconsider you/the situation. Or not,
but at least you know you've made it harder to the CIO to lie to the CEO
:-))
Hope this helps. Good luck
Saludos
Javier Bértoli
Centro de Telemática
Universidad Nacional del Litoral
/* ---------------------------------------------------------------------- */
"Whenever you are asked if you can do a job, tell 'em 'Certainly
I can!' - and get busy and find out how to do it.
(Theodore Roosevelt)
