On Tue, 1 Jan 2002, A Question wrote: > Greetings, > > Beg your parden for sending, but I could use your > advice. [etc., etc.] > The security for the network and servers I administer > is NON-EXISTENT. This is not only fine with my > superiors, but I have been told to not work on > security anymore, as it is "un-important". The CEO > thinks that it is secure because my CIO lies and tells > him that it is. [etc., etc.] > appreciated. Also, after I leave, should I send a > letter to the CEO about this?
Hi; I would not resign/leave (at least not before I "hit the honeycomb" -- sorry. Don't know how this expresion translates to English :-) I would write a memo _DIRECTLY_ to the CEO, in "mid/low tech language", explaining him/her everything you stated in your email: - Explaining the REAL situation of your enterprise security - The IMPLICATIONS (specially the ECONOMIC ones :-) this situation has for the company. I would write down some examples (kind of: "it takes N hours/man to reinstall X servers...", "We're LOSING N bandwith because of sec. vulnerabilities, which means N MONEY/MONTH...", etc., etc.) - Detail some vuln. that you know have caused problems to the quality of your services in the past. Would be grate if you can state any clients you know you've lost because of the QoS. - Detail the times you've advised your boss of these problems (better if you have these documented) and show them the answers he/her gave you. - Explain that you were supposed to be in charge of all the forementioned, but your boss _EXPLICITLY_ didn't allow you to do one single thing in order to improve security. - State that you know the CIO was lying him/her on these issues. Finally, you should say that, if nothing is going to be done you will resign for three reasons: - You don't agree with the DANGEROUSLY WRONG WAY things are being done. - You don't like to work with a CIO that LIES and is clearly going to use you as a scapegoat in case something happens. - You consider it is worthless to lose your time in a place where there is a evident lack of common sense, laziness seems to be the rule and international standards on security and network management are foolishly ignored. Maybe you're lucky and they reconsider you/the situation. Or not, but at least you know you've made it harder to the CIO to lie to the CEO :-)) Hope this helps. Good luck Saludos Javier Bértoli Centro de Telemática Universidad Nacional del Litoral /* ---------------------------------------------------------------------- */ "Whenever you are asked if you can do a job, tell 'em 'Certainly I can!' - and get busy and find out how to do it. (Theodore Roosevelt)