Ignorance? Tight budget? A lack of management comprehension?
I’ve just walked out of a meeting in which I drew upon the largest dose of self-control in my young career. The topic was expansion – new network, new designs, new servers. Factor in some delicious VMware server clusters and possibly some 4500 series switches, and this isn’t a project to gawk up. What has got me riled up this morning is the fact that all anyone wanted was the end result. They also wanted it, you guessed it, yesterday! No matter what corners were to be cut, the project was required to be done. The biggest corner cutting came at security.
I raised this point and asked, “It’s nice to want all this, and this is how we are going to achieve our end result, but what has my red flag raised is security. Nothing you have mentioned addresses this.” The curt reply was to make it work within the budget. This off-the-cuff, flippant response irked me, but I know not to fight fire with fire.
I have thought about how to solve this roadblock while teaching my colleagues/superiors about the importance of security. I want to do this in a way that highlights the need for security, as well as the steps that can be taken to minimize compromise and theft. I know currently that management are of the mindset, “A breach hasn’t happened to us.” A cotton-wool protected cocoon safely tucked away inside of virgin-guarded Internets has people foregoing firewalls and IDS/IPS systems. But generally, it’s not “if” an attack happens, it’s “when.” Gosh, I know my 1841 router at home shows port scans against it more commonly than Lady Gaga wears crazy outfits, let alone an enterprise Internet-facing device.
Now, sitting back at my Macbook, I am currently calming down. But I am adamant that the next meeting I walk into, I will be armed with reasons why we need security. Hopefully, I can find information about breaches into companies similar to the one I am assigned. Maybe then, reason will be seen just as light is seen when a light switch is flipped on. Things like:
- Why you can’t put a price on security, but what you can expect from spending X,Y, or Z amounts.
- Why you can’t pretend you will be okay.
- You wouldn’t expose your own body to harm. Why expose your network?
I’ve put this post out to the Packet Pushers community, and have some questions.
- Have there been situations where you have needed to calm yourself and recollect before trying again? I’d love to hear about it.
- Currently, I am working with the minuscule budget figures that are left over to implement a rock-star security solution. How have others dealt with similar situations?