First things first. If you're interested in cloud security, you may want to download the whitepaper now available from Capgemini over at:
http://www.capgemini.com/insights-and-resources/by-publication/putting-cloud-security-in-perspective/
Now I'll admit to writing that piece and so this is really just a blatant plug. Happy to take comments on the paper though.
Other things... still frustrated by a variety of different attitudes to security, maybe I should try and catalogue them....
Best Intentioned (but ill-informed)
Those who do what they do with the best of intentions, e.g. "well we did that to improve the security", but have no real expertise in the subject area and were too busy to ask anyone else and so end up going down a sub-optimal path.
Rationale Reverse Engineers
"Well, it's too late now and we can't possibly implement that solution. It wasn't really that important anyway was it? Not if you think about it like this..." Nuff said.
The Optimist
"Well, who'd do a thing like that? Nobody's interested in attacking us" Eeek. The Optimist has always been around and I daresay will always be around. I always feel guilty pointing out the realities and tarnishing such naive innocence.
The Robot
Blind obedience to policy or procedure. Even if that policy or procedure is not directly relevant to the problem at hand.
The Pessimist
"Well, if this were to be happen we'd be dead in the water. So we can't do anything." All risk is bad. Possibly even more dangerous from a business perspective than the optimist. If you tend to believe in Darwinism and any applicability to the business environment then it's the organisations that are most able to change that thrive. Change and Pessimists do not mix well.
The Perfectionist
You're only secure if there is no way in. Lock down everything. Ensure that every line of code in your organisation is perfect. Often find work as penetration testers.
The Policy Monkey
A bizarre breed who produce policies with blatant disregard for the organisation concerned, the applicability, technical relevance or feasibility of their output. Often expensive but very good at producing materials for balancing wonky tables.
Have to point out that the categories in the above list are not directly correlated to individuals in my current day job and are generic charicatures. Just in case anyone's reading. :-)
About Me
- Lee
- I'm a cybersecurity chap, currently working as a Director for a global systems integrator. I've been working in [IT|Information|Cyber] Security since 1998 with major banks, systems integrators as well as two of the Big 4. This blog is for those thoughts and musings that reflect purely my own opinions and certainly not necessarily those of my employers!
No comments:
Post a Comment