Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Enterprise Security For the Executive

samzenpus posted more than 4 years ago | from the read-all-about-it dept.

Security 75

brothke writes "If Shakespeare were to write an information security tragedy, it would not be titled Hamlet, rather Bayuk. The story of Jennifer Bayuk is tragic in that she spent a decade as CISO at Bear, Stearns, building up its security group to be one of the best in the business; only to find it vaporized when the firm collapsed and was acquired by J.P. Morgan Clearing Corp. After all that toil and sweat, Bayuk was out of a job. (Full disclosure: Bayuk and I have given a presentation together in the past, and I did get a copy of this book for free.)" Read below for Ben's review.While the information security engineering group that was at Bear, Stearns is no more, Bayuk has taken her vast expertise and put it in a great new book: Enterprise Security for the Executive: Setting the Tone from the Top. While many other books equate security with technology, and are written for technologists; Bayuk writes that information security is all about management control. And to the extent which a CxO controls assets, is the extent to which others can't use them in unexpected ways.

The book is written to help CxO's and business executives become familiar with information security concepts and techniques to make sure they are able to manage and support the efforts of their security team. This is an issue, as a big problem for the poor state of information security is that CxO's are far too often disconnected from their information security groups. No story is more manifest than that of when Heartland Payment Systems CEO Robert Carr blamed his PCI auditors for his firm's security problems. Carr is a perfect example of the type of person that needs to read this book. As an aside, for an excellent reply to Carr's kvetching, read what Rich Mogull wrote in An Open Letter to Robert Carr, CEO of Heartland Payment Systems.

While many CxO's think that security is about firewalls and other cool security products, it is truly a top-down management approach, and not a technology one. The book notes that the only way for information security to succeed in an organization is when management understands what their role is.

What is unique about the book is that Bayuk uses what she calls SHS (security horror stories). Rather than typical FUD stories, the horror stories detail systematic security problems and how they could have been obviated. By seeing how these companies have done it wrong, it makes it easier for pragmatic organizations to accomplish effective security by setting a strong tone from the top down.

Bayuk details the overall problem in the introduction and notes that many CxO's have wrongly spent significant amounts of money on security to avert security incidents; but have done that without any context of a greater information security methodology. The leads to executives thinking that security as nothing more than one long spending pattern.

Chapter 1 — Tone at The Top, notes that tone exists at the top, whether it is set or not. The tone is reflected in how an organization thinks about the things it really cares about. Employees can tell how a CxO cares about security by their level of personal involvement. Not that a CxO needs to be, or should be involved with minutia of firewall configuration or system administration; the key is rather that they are for example, championing the effective and consistent use of firewalls and how systems are securely administered.

In chapter 5 — Security through Matrix Management — Bayuk does a good job of detailing the various places that the security group can be placed in an organization. The chapter notes that there are as many ways to organize security as there are organization structures. Bayuk writes for example that if CxO's in a given organization are a tight-knit group, accustomed to close coordination, then it should not matter to which CxO the person managing information security reports to. If that is not the case, there may be multiple security programs that end up far too below the required C-levels that are needed for effective security. The chapter provides a number of different organizational scenarios, with requisite roles and responsibilities.

Chapter 5 closes with an important observation that a CxO should task the human resources department to put a line in all performance reviews whereby managers attest (or not) that the person being reviewed follows security policy. A CxO should fire people who willfully avoid compliance with security policy. Whatever tone at the top exists should be employed to make sure that everyone knows that the CxO is serious about the corporate security program. Such a tone clearly demonstrates an organization that is resolute about information security.

One thing that Bayuk does very well repeatedly throughout the book is to succinctly identify an issue and its cause. In chapter 6 — Navigating the Regulatory Landscape — she writes that if a CxO does not have management control over an organization, then the organization will fail the audit. It will fail because even if the organization is secure today, there is no assurance that it will be going forward. In addition, control means that the CxO will ensure that the organization is attempting to do the right thing. And in such cases, passing an audit is much easier.

Overall, Enterprise Security for the Executive is a fantastic book. It provides a no-nonsense approach to attaining effective information security. For those executives that are serious about security, the book will be their guiding light down the dark information security tunnel. In its 8 chapters (and a case study), the book focuses on a straightforward and plain-speaking approach to enable CxO's to get a handle on information security. As such, it is hoped that Enterprise Security for the Executive will soon find its way onto every executives required reading list.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know .

You can purchase Enterprise Security for the Executive: Setting the Tone from the Top from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Sorry! There are no comments related to the filter you selected.

NIGGERS! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30673200)

How was break dancing invented? From niggers trying to steal hubcaps from moving cars.

Tiny Penis! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30673404)

Why do some white men hate and fear the black man? Because they feel insecure about their tiny penises, and they believe that black men can more easily satisfy women. Of course, the fact is that, on average, black men's penises are only half an inch longer and a quarter inch thicker. But to an insecure man-child with a three inch micro penis, this might as well be a mile.

Re:Tiny Penis! (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30673566)

Why do some white men hate and fear the black man? Because they feel insecure about their tiny penises, and they believe that black men can more easily satisfy women. Of course, the fact is that, on average, black men's penises are only half an inch longer and a quarter inch thicker. But to an insecure man-child with a three inch micro penis, this might as well be a mile.

Nah actually I love black people. I like them too, at least the ones who aren't mindless followers of the homie-G thug culture and its glorification of hard-drug abuse, violence, abuse of women, and absent fathers (a creation of white men who own media conglomerates, I might add). But that's not a black-white thing, I don't like anyone who's a mindless follower of some culture that was sold to them. It takes no guts to be that way. It's much harder to be a real person, an individual.

There's a mindlessness also to getting all offended over the words of a stranger. So, I just say things I don't mean to get people like you riled up, to get you to respond to it. Thanks for playing along. I could never play you like an organ if you didn't go along with it so readily and react so predictably.

Re:Tiny Penis! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30673986)

Nah actually I love black people. I like them too, at least the ones who aren't mindless followers of the homie-G thug culture and its glorification of hard-drug abuse, violence, abuse of women, and absent fathers

Me too - all three of them.

Re:Tiny Penis! (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30674118)

Nah actually I love black people. I like them too, at least the ones who aren't mindless followers of the homie-G thug culture and its glorification of hard-drug abuse, violence, abuse of women, and absent fathers

Me too - all three of them.

In all of history, maybe 0.5% of all of humanity ever had real freedom instead of just mindlessly executing some socially patterned programming. Most of those were persecuted and even executed for their trouble. You can deny that programming, and to that I say it works so well because you think you have your own ideas and you think you are following your own impulses. Only a very tiny minority of the human race ever had a thought or idea that someone else didn't work very hard to put there, though they think themselves to be so original and creative and free.

Well played, sir! (1)

spun (1352) | more than 4 years ago | (#30675650)

I could give a crap how you actually feel, or how black people might feel. I'm not offended. We're both playing the same game here, offend the easily offended. But here we are, both feeling the need to justify our comments. Strange, don't you think? I mean, if you really feel the way you claim to, why even bother to respond to me? Perhaps I hit a nerve? A very small nerve, perhaps?

Re:Well played, sir! (0)

Anonymous Coward | more than 4 years ago | (#30678854)

what nerve!!! :)

Re:Well played, sir! (0)

Anonymous Coward | more than 4 years ago | (#30686364)

also well played - you started off anonymous then revealed your 4-digit uid to emphasize your point!

i am humbled

but you self-identify as a troll? i'd ask if you're new here but 4 digits - again, w00t! long time lurking under the bridge, eh?

on a side note, i think you meant "i could NOT give a crap..." - sorry, pet peeve of mine

Re:Well played, sir! (1)

spun (1352) | more than 4 years ago | (#30686582)

Yes, I have self identified as a troll here as far back as I can remember. It used to be a badge of honor. We had the 'trolltalk' secret story ID, troll Tuesdays, some of the best trolls on teh intarwebz, and we were, as we used to say, 'on teh spoke.' Nowadays, trolling has become a lost art.

Mostly nowadays I troll libertarians. They're a very easy target.

main problem... (2, Insightful)

Anonymous Coward | more than 4 years ago | (#30673230)

is the CxOs who dont care about security in the first place. blaming lower echelons of management is useless if the people at the top dont get IT.

Re:main problem... (3, Insightful)

FlyingBishop (1293238) | more than 4 years ago | (#30673640)

excellent summary of the summary.

Re:main problem... (1)

dkleinsc (563838) | more than 4 years ago | (#30674974)

To summarize the summary of the summary: People are a problem.

On the upside, a book like this, if written in CxO language rather than techy language, could be a useful tool for a lower echelon of management to use to convince the upper echelons of management that they need to give a damn about security. What you'd need along with the horror stories is the financial impact to the company ("they screwed up these 5 things and lost $50 million in lawsuits" has more impact than just "they screwed up these 5 things, here's how to not do that"), and a demonstration that the risk is real.

This book will... (0)

Anonymous Coward | more than 4 years ago | (#30673234)

boldly go where no security consultant has gone before!

___ for the Executive (4, Funny)

castironpigeon (1056188) | more than 4 years ago | (#30673280)

Err... so what's all this paper crap between the covers? Oh, I get it, that's so it doesn't fall over. Very clever.

Re:___ for the Executive (0)

Anonymous Coward | more than 4 years ago | (#30681036)

since u have zero constructive critisicm, means that you are an expert or clueless?

Re:___ for the Executive (1)

chessbase (1717328) | more than 4 years ago | (#30709802)

maybe

What was she securing? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30673342)

The tampon dispenser?

Re:What was she securing? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30673884)

Do you WANT women bleeding all over the place when at work? At least securing the tampon dispenser is doing something more valuable then what the usual GNU+Linux turdburgler does all day.

Re:What was she securing? (0)

Anonymous Coward | more than 4 years ago | (#30674774)

She was in the kitchen securing a sandwich for me.

Security, in corporate America? lolll.. (5, Insightful)

ibsteve2u (1184603) | more than 4 years ago | (#30673372)

I had a top secret security clearance with an armful of qualifiers by the time I was 18. The intensity of the security requirements for the things that I did in no way left me prepared for what was misnamed "security" in the corporate world, but it did lead me to abruptly learn one thing: It is not smart to tell anybody who has more power or connections than you do that their laziness or ineptness poses a a security or business continuity risk.

All things - to include security - play second fiddle to office politics in corporate America.

Except, of course, in those rare instances where everybody in the executive suites has a vested interest in keeping either their competitors or the government unaware of their activities.

Military Security clearances. (1)

zoomshorts (137587) | more than 4 years ago | (#30673692)

Those are more about holding the soldier responsible for their actions,
rather than for actual security. Blab what little you know, and treason
is the charge de jour.

Many soldiers are routinely given Secret clearances, not so much out of
a 'Need to Know', but more as a leash to strangle them if they F*** Up.

It makes them part of the project in their minds, and therefore more likely
to behave. 'Q' cleared, 'NATO briefed' and all the ancillary stuff. 90
percent of these people have no actual need for those and higher level
clearances. Such is life in the Military.

Been there, done that. Security-wise, not military, I was in Engineering.

Re:Military Security clearances. (1)

L3370 (1421413) | more than 4 years ago | (#30674370)

"Those are more about holding the soldier responsible for their actions, rather than for actual security..."

I will have to disagree. Security clearances were designed to effect a level of control tight enough that it would deter most people from obtaining the material illicitly or accidentaly.

Cleareance does not grant people access by virture of being cleared. The need-to-know is very much a part of the security procedure. Just because you have a secret clearance as a network technician doesn't mean you have access to known terrorist dossiers marked with "Secret" on the front. Sometimes marking material secret is done just to keep troops from spurting out information like troop movements or battle plans. Thousands of people need to be involved in these kinds of actions so it isn't exactly a big secret...but you can't just have people running their mouths.

Also, the higher the clearance, the higher level of control. so its difficult to compare the level of importance they place on high clearance material to the clearance they give to the masses of grunts. without being exposed to the world of Top Secret or higher you just wouldn't understand how serious they take this business.

Re:Security, in corporate America? lolll.. (0)

Anonymous Coward | more than 4 years ago | (#30673810)

If only there was some sort of person in charge of security for a cleared facility that you're required to report such things to, some sort of, I don't know, Facility Security Officer....

Or a dozen toll free numbers to anonymously report said violations if that route is compromised. But no, don't bother following procedure or the proper channels to protect national security, just keep telling your boss that he's inept and lazy.

Re:Security, in corporate America? lolll.. (0)

Anonymous Coward | more than 4 years ago | (#30674732)

I don't think he said that scenario happened in the military. I think he said it was in the corporate world.

Re:Security, in corporate America? lolll.. (0)

Anonymous Coward | more than 4 years ago | (#30674964)

I was referring to dealing with security issues in the corporate world assuming he was working for a company dealing with classified information like a defense contractor. If he's just talking about the difference between going from dealing with classified security environments to run of the day corporate business security then I apologize for my misreading and would probably agree. Security at most companies not dealing with banking or classified materials sucks, and there's not a whole lot you can do to convince them to improve it.

Re:Security, in corporate America? lolll.. (0)

Anonymous Coward | more than 4 years ago | (#30673892)

Except, of course, in those rare instances where everybody in the executive suites has a vested interest in keeping either their competitors or the government unaware of their activities.

Wadda ya mean "either"?

Re:Security, in corporate America? lolll.. (0)

Anonymous Coward | more than 4 years ago | (#30675124)

I had a top secret security clearance with an armful of qualifiers by the time I was 18.

This is less impressive and far more common than it sounds. At that age, most folks have few if any traits or events in their past which might disqualify them from a clearance, or raise any red flags during the background reuired for a TS/SCI. At 18 you simply haven't lived long enough to rack up substantial debt, make enemies, have embarrassing sexual proclivities, etc. A little drug abuse, a few petty crimes on the rap sheet, no big deal; they don't care about the sort of stuff most teens have gotten into.

In short, the average 18 year old is impossible to extort or blackmail, and will have no demonstrable history of being untrustworthy. Rubber-stamp clearance, son.

Re:Security, in corporate America? lolll.. (0)

Anonymous Coward | more than 4 years ago | (#30681174)

>>>I had a top secret security clearance with an armful of qualifiers by the time I was 18.

wow superman, what else did you do?

let's see, to get a clearance, one has to be at least 18.

and you are telling me with all the paperwork and background checks that need to be done, that was done, WITH A TOP SECRET, in your 18th year?

what else? did u win a pulitzer prize also?
nobel?
world series ring??????

Re:Security, in corporate America? lolll.. (0)

Anonymous Coward | more than 4 years ago | (#30681752)

>>>>I had a top secret security clearance with an armful of qualifiers by the time I was 18.

Was that before or after you were in charge of the CIA?

Security is about Risk Management (4, Interesting)

MosesJones (55544) | more than 4 years ago | (#30673464)

Simply put Security is a standard Risk Management job, the risk of the problem occurring against the cost of preventing it. This then includes the cultural requirements for risk avoidance and the practices to ensure that.

Now will someone tell me why I should trust someone to tell a business person how to do the IT Risk Management who worked at a bank whose major failing was in Risk Management.

Isn't that like asking an Enron accountant to teach you ethics?

Re:Security is about Risk Management (5, Insightful)

0racle (667029) | more than 4 years ago | (#30673652)

Now will someone tell me why I should trust someone to tell a business person how to do the IT Risk Management who worked at a bank whose major failing was in Risk Management.

Well, intelligent people will probably realize that the Chief Information Security Officer and her subordinates probably didn't have much say in how the investment arm of the bank did business.

Enron's accountants obviously failed at applying ethics, I don't see Bear Stearns failing because the IT group(s) failed to accurately or sufficiently measure and protect their assets. Would you not hire or work with someone from one of these failed banks IT groups because the bank failed, holding that up as some indicator that this person couldn't possibly know what they're doing?

Re:Security is about Risk Management (1)

GodBlessTexas (737029) | more than 4 years ago | (#30676314)

As a former Enron employee in the Information Security department, I can tell you that it did not matter that I was not an accountant while looking for information security work after the company tanked in late 2001. The simple mention of Enron on my resume sandbagged any interview I went on. I might as well have been shredding documents myself. Thankfully, I eventually found someone willing to give me a shot and got my career on track again. It just took 3 years to do it.

Re:Security is about Risk Management (1)

The Wild Norseman (1404891) | more than 4 years ago | (#30676868)

The simple mention of Enron on my resume sandbagged any interview I went on.

Are you sure it wasn't just because you were from Texas?

Re:Security is about Risk Management (1)

GodBlessTexas (737029) | more than 4 years ago | (#30677556)

One could assume that since these were companies located in Texas, it was a non-issue. The energy business is a little superstitious, and unfortunately dominates the job market in Houston. I moved to Dallas and landed an Information Security job with a billion dollar company and then moved on to consulting for companies of similar size or larger. Life has been good so far. I've even done some work in the energy sector.

Re:Security is about Risk Management (1)

The Wild Norseman (1404891) | more than 4 years ago | (#30678218)

Hey, that's cool. I was just tweakin' your nose a little bit.

Re:Security is about Risk Management (0)

Anonymous Coward | more than 4 years ago | (#30684102)

...Now will someone tell me why I should trust someone to tell a business person how to do the IT Risk Management who worked at a bank whose major failing was in Risk Management.

she does IT Sec Risk mgmt.

Bear failed on financial risk mgmt.

focus on that they never had a data breach.

Oh my god (3, Interesting)

dachshund (300733) | more than 4 years ago | (#30673670)

After hearing that description, I would rather eat glass than read this book. Nonetheless, as much as I hate to admit it, the attitude of the higher execs really will make the difference between an organization that follows security policy, and one that just buys a bunch of equipment and pretends that it's helping them.

Sadly, I don't think that any of this fuzzy management advice is going to make much of a difference in the current environment. What will happen is that criminal groups will become more effective and /that/ will have an effect on the stock price. As a result, CEOs will emphasize security as a top priority. Then you'll see them hiring & giving real power to bright folks who know what they're doing, and making sure that the employees follow policy. The results will trickle down. But there has to be real pain before this is anything more than buzzwords.

Re:Oh my god (0)

Anonymous Coward | more than 4 years ago | (#30675946)

After hearing that description

ARE YOU DEAF?

executive summary on security (1)

prgrmr (568806) | more than 4 years ago | (#30673676)

Security is something you do, not just somethings you have. In addition to hardware, software, policy and procedures, security requires discipline, constant vigilance, and flexible adaptability to the changing world around us. If you don't have or aren't willing to acquire the latter three of those aspects of security, the preceding four aren't going to cover your risk.

Review author lives in a happy place (3, Insightful)

owlstead (636356) | more than 4 years ago | (#30673684)

Since the last 4 or 5 book reviews he puts up on Amazon (including this one) get 5/5 stars (and only one out of many scores only two stars). I'm not saying that that is wrong or anything, but it does make me just slightly wary. If anyone else has another opinion please post it because this review alone won't let me buy the book.

Re:Review author lives in a happy place (4, Informative)

brothke (1348253) | more than 4 years ago | (#30673942)

You are correct that the vast majority of the books I review do get high ratings, as I only review books I like and I think are of significant value. There are plenty of books that I read that I feel are a waste of paper, I personally though prefer not to review them.

Re:Review author lives in a happy place (1)

LordNimon (85072) | more than 4 years ago | (#30675910)

I personally though prefer not to review them.

You should.

Re:Review author lives in a happy place (2, Informative)

Red Flayer (890720) | more than 4 years ago | (#30674014)

Could be a matter of selection bias. Maybe he doesn't bother reading books not highly recommended to him by others.

Or could be a matter of reporting bias. Maye he doesn't bother writing reviews for books that aren't very good.

Maybe he really does suffer from the "video game rating" problem where the minimum score is 6 on a 10-point scale. But no matter what, you'd be silly to spend a lot of time on anything based on the review of single person.

I know in my case, I don't have a lot of free time... I don't think I've read a book in the last two years that I wouldn't give at least a 9 out of 10... partly because I get most of my books at the library, and the first chapter or so of any book is enough information for me to decide to read the whole book or not.

Re:Review author lives in a happy place (2, Informative)

brothke (1348253) | more than 4 years ago | (#30674230)

>>>Or could be a matter of reporting bias. Maye he doesn't bother writing reviews for books that aren't very good. And I said, I don’t see it as my task to write negative reviews. I take the opposite approach that Robert Slade takes. See http://en.wikipedia.org/wiki/Robert_Slade [wikipedia.org] - He reviews other works but gave first priority to information security. His reviews are often critical—to the project FAQ question, “Don't you like any books?” Slade replied that he may be cruel but is fair.

Re:Review author lives in a happy place (1)

nine-times (778537) | more than 4 years ago | (#30674362)

Maybe the reviewer only bothers to write reviews for books he likes.

I'm not saying you're wrong to be suspicious. I'm just pointing out that there's at least one valid reason why a reviewer would trend toward positive reviews.

Re:Review author lives in a happy place (1)

TheLink (130905) | more than 4 years ago | (#30683310)

In most security stuff a common default is "default deny".

Life is short. There is no point writing lots of lines for stuff you don't want - there's too much of it.

You might as well write lines for stuff you want :).

hmm (3, Insightful)

nomadic (141991) | more than 4 years ago | (#30673906)

The story of Jennifer Bayuk is tragic in that she spent a decade as CISO at Bear, Stearns, building up its security group to be one of the best in the business; only to find it vaporized when the firm collapsed and was acquired by J.P. Morgan Clearing Corp.

And all she got out of it was a lot of money, material for a book, and a great resume. Where's the problem?

Re:hmm (1)

Foolicious (895952) | more than 4 years ago | (#30674152)

I'd echo this. I can think of far greater tragedies that occurred as a result of firms like Bear Stearns collapsing.

Re:hmm (0)

Anonymous Coward | more than 4 years ago | (#30675122)

>>>And all she got out of it was a lot of money, material for a book, and a great resume. Where's the problem?

It is not about the money necessarily. When my group folded, I was depressed for a long while. All the time I invested, kids events missed, etc., was all for waste. Sure severance was great, but still was depressed.

Re:hmm (1)

nomadic (141991) | more than 4 years ago | (#30675330)

It is not about the money necessarily. When my group folded, I was depressed for a long while. All the time I invested, kids events missed, etc., was all for waste. Sure severance was great, but still was depressed.

Every company, division, etc., will eventually go out of business. It's inevitable. The point is what's done while it's still around. Her division, if the glowing description is to be believed, help Bear Sterns carry out it's business. I mean, if she was an architect and every building she built got torn down I can understand, but she was essentially providing a temporally limited service that functioned as it was supposed to. I mean, eventually it would have to be replaced with something more cutting edge anyway.

Re:hmm (1)

tnk1 (899206) | more than 4 years ago | (#30675442)

And all she got out of it was a lot of money, material for a book, and a great resume. Where's the problem?

Those are certainly compensations, but even though executives are frequently overpaid, most of them on average probably work longer hours than most of their employees do between travel, meetings and high level planning and decision making. Some people are after money, but many more are after *power* and no matter what sort of parachute you get, golden or lead, once you have a certain amount of money in the bank, your interests may well shift away from simply acquiring even more comfort and material goods and more towards shaping the world around you.

And like many lower level people on the totem pole, they probably get some satisfaction from creating something that works, and then being able to run it for awhile and look back at it as a success. There are many people even in the non-executive world, who would prefer a more satisfying job over a larger paycheck.

Re:hmm (1)

HornWumpus (783565) | more than 4 years ago | (#30678168)

probably work longer hours than most of their employees do between travel, meetings and high level planning and decision making.

Translates to:

probably work longer hours than most of their employees do between free travel in a corporate jet, golf with other fat cats, hookers, blow and finally a coin toss as they don't understand a damn thing anyhow.

Re:hmm (1)

Gorobei (127755) | more than 4 years ago | (#30678338)

Yep, you don't get to be an effective senior exec without serious hard work.

I logged on to our system this last New Years Day at 9am. The only people on and working were the senior guys.

Re:hmm (1)

H0p313ss (811249) | more than 4 years ago | (#30675894)

Where's the problem?

Probably the ulcer and chronic migraines.

Executive summary (2, Funny)

Quiet_Desperation (858215) | more than 4 years ago | (#30674016)

Chapter 1:

- Hire someone who knows what the hell they are doing, and let them do it.

Chapter 2:

- Let's work on that golf swing!

[and so on]

Re:Executive summary (2, Insightful)

Anonymous Coward | more than 4 years ago | (#30674568)

Huuu nope.

Try to do any security in a medium to large company when you have no support from high-level executives. Even if you know what you are doing, others will not want to hear about it.

Re:Executive summary (1)

Sabriel (134364) | more than 4 years ago | (#30676770)

I'd presume the "and let them do it" part would include providing the authority needed to get the job done. Sadly... yeah.

Re:Executive summary (1)

TheLink (130905) | more than 4 years ago | (#30683350)

Or is it related to part 2.

Maybe people respect the authority of his golf swing ;).

Re:Executive summary (0)

Anonymous Coward | more than 4 years ago | (#30677920)

I would like to offer you a position in creating executive summaries for enterprise management books.

Re:Executive summary (1)

An ominous Cow art (320322) | more than 4 years ago | (#30684672)

Keep in mind that Enterprise security personnel wore the red shirts, and we all know what happens to them...

Bear was the least secure company. EVAR! (4, Informative)

Anonymous Coward | more than 4 years ago | (#30674060)

I work for a company that uses Bear Stearns services.

These services REQUIRE that users have:
Local Administrative privileges
Run IE6
Run MSJava 3 years after MS pulled the plug on it (Later revised to only allow Sun Java 1.4 r16, which is several years old).

That's the insecurity trifecta that is foisted on the people managing your money.

We still cannot upgrade past Windows XP to this very day because of these HIDEOUS requirements. JP Morgan is barely now getting the ball moving on updating these services.

Shes obviously has no clue about security. I don't have to read the article or book. I would suggest ignoring her completely, and hopefully blackballing her from ever holding any position again.

-nb

Re:Bear was the least secure company. EVAR! (0)

Anonymous Coward | more than 4 years ago | (#30675000)

To say that Bear was the least secure company ever, and you did spell it as EVAR, shows how utterly clueless you are.

>>>JP Morgan is barely now getting the ball moving on updating these services.

100% wrong.

>>>. I would suggest ignoring her completely, and hopefully blackballing her from ever holding any position again.

So did she fire or demote you?

Re:Bear was the least secure company. EVAR! (0)

Anonymous Coward | more than 4 years ago | (#30675292)

Do you use JP Morgan clearing services? Do you work for JP Morgan? Did you work for the company formerly known as Bear Stearns? Probably not.

100% wrong? Really? From a customer perspective, there is almost no indication that these services are being updated with respect to security. I know because I support it within our organization.

FYI "EVAR" is an internet meme injected for the purposes of hyperbole.

-nb

Re:Bear was the least secure company. EVAR! (0)

Anonymous Coward | more than 4 years ago | (#30675006)

You're right, you don't have to read the article. That way you won't have to confront the facts that prove you're talking out of your ass.

Re:Bear was the least secure company. EVAR! (0)

Anonymous Coward | more than 4 years ago | (#30675872)

and u r the smartest security evar?

u meant Bear is worse than tj maxx? it thought they were the worst EVAR!!!!!

Re:Bear was the least secure company. EVAR! (1)

nortcele (186941) | more than 4 years ago | (#30684036)

Nearly every large corporation over 20 years old is in the same situation. XP, IE6, some old java. Local admin rights. Some CPU sapping virus scanner program firing off at 5:30pm rendering the user PC useless. Frustrated users leave for home instead of continuing work. Activated network ports are not tied to a specific MAC, so any netbook, laptop, etc can be plugged in (and thus snoop).

Security requires a price in time and effort, and there are always compromises in order to get work accomplished.

Re:Bear was the least secure company. EVAR! (0)

Anonymous Coward | more than 4 years ago | (#30684862)

> Nearly every large corporation over 20 years old is in the same situation.

My exposure to Exxon a few years ago has me disagreeing. They ran a fairly tight ship. Systems didn't allow alteration, desktops/laptops (even remote-connects) were scanned before admission to the internal network, and users/nets are tight. Annoyingly tight, in fact, with a lengthy approval bureaucracy for custom apps or code.

Anyone else want to hand nortcele some counterexamples.

Oh, and last time I checked, XP wasn't by itself evidence of bad security practices...

In a sentence: (2, Interesting)

rickb928 (945187) | more than 4 years ago | (#30674572)

"And to the extent which a CxO controls assets, is the extent to which others can't use them in unexpected ways."

She nailed it. Enterprise security is indeed a culture, not a function. You got it, or you don't.

Not only Heartland, but Hannford, show the importance of the culture of ritual and 'things you just don't do'. Virtually every time you hear of a consultant/temp blowing up security and causing a breach, you see the same thing - the organization needs this to be a business-as-usual approach from the top down. It's not only about doing it right, it's about there being no other way.

And then giving your CxOs the authority and assets to actually perform. All the way down.

At my work, there are lots of things we just don't do. My work computer never sees the Internet except through the corporate proxy, either in office or via VPN. I do have the ability to install any software I want, bit I don't install anything that I would not want to justify to the security folks. We get Adobe Reader configured as plain-vanilla, and I turn off Javascript just because. I watch my virus-scanning and resolve any occasional alerts. We also use Cisco Security Agent, and I tolerate it when it jumps in and says no.

I could be messing about with any number of questionable things, but it's not worth it.

Now, my home machines, that's different. :)

Re:In a sentence: (1)

Znork (31774) | more than 4 years ago | (#30677200)

She nailed it.

It's a nice sounding quip, but it's too easy to drop the last three words and have what is possibly a control issue into a business issue: "And to the extent which a CxO controls assets, is the extent to which others can't use them". The problem is what is unexpected and to what extent the CxO's actually 'expect' internal requirements, and the extent to which, when they're told the requirements, come up with solutions rather than an inane 'that's not policy'.

For most companies, being 'secure' is not their core business, and the bottom line is what matters. If security gets in the way of generating revenue, then, well, risk doesn't really matter to companies that aren't in business. Many security incidents are merely embarrassing or a nuisance and may not cause significant harm to the bottom line, and you have to weigh cost against benefit.

Some comments like 'A CxO should fire people who wilfully avoid compliance with security policy.' certainly suggest control freak rather than productive security. Did the employee bypass security policy after trying to work within it? Did the employee do it in the line of work? Did it expose the company to risk? If the policy is harming business, perhaps the problem lies not with the employee but with the CxO policies.

There's a vast difference between someone surfing pr0n on work computers and someone who, after filing his 35'th request for a website clearance in a week simply doesn't have the time any more and bypasses an obviously deficient website policy in a secure way. Defective policies that get in the way of legitimate business are counter productive and they will make people bypass them; trying to make it a power game is even more counter productive, internal turf wars and conflicts cost far more than re-evaluating policies and making them support both business and security requirements.

At my work, there are lots of things we just don't do.

It certainly sounds as if your place of employment has reasonable policies and is managing to get employees 'on board' with the program. Mine is usually fairly sane as well.

I could be messing about with any number of questionable things, but it's not worth it.

Which is the strongest indication that your employer is doing it right.

Now, my home machines, that's different. :)

Personally it's the other way around, I run much tighter security at home. But then, I have much better knowledge of expectations here...

She needs to secure herself a better web site (1, Funny)

Anonymous Coward | more than 4 years ago | (#30675042)

It's no wonder she is out of a job, I haven't seen that level of HTML design since Frontpage 1.0. Come on, security is nice but image is everything!

Re:She needs to secure herself a better web site (0)

Anonymous Coward | more than 4 years ago | (#30677120)

>>>>>security is nice but image is everything!

which means u don't understand security.

Re:She needs to secure herself a better web site (0)

Anonymous Coward | more than 4 years ago | (#30677614)

and you image is?????????

passing an audit (0)

Anonymous Coward | more than 4 years ago | (#30677010)

is painful, just like passing a kidney- or a mile- stone. Audit is overrated, as it lacks a penalty feedback; fort example all of the major FI failures 'passed' audits. Companies with serious security flaws also passed audits. And self-disclosure, although it may sound like a regulators' wet dream, is just adding more low-hanging fruit to the auditor's basket. A company that thinks that passing an audit or doing things to pass an audit makes them more secure is not.

Enterprise Security (0)

Anonymous Coward | more than 4 years ago | (#30678250)

Chapter 1 - Hire Worf

Nuff said

I don't really trust this review(er) (0)

Anonymous Coward | more than 4 years ago | (#30685724)

What shakespearean fate did she suffer?! She got downsized in a major recession after her company folded. But it was from a C-Level position? Oh, woe. Oh the humanity. What epic greatness did she exhibit? Well, nothing verifiable. Unsurprisingly, since it isn't like anyone brags about their (or their industry's) faults and security breaches. Certainly not banks. We're not going to see some CISO Martin Luther nailing (emailing) his manifesto of change any time soon, unless they plan a career change.

Beyond this dreck, my reaction was the same here as for any other review(er) that likes spinning a good yarn -- deeply flawed. That'd go double for reviewers using hyperbole like I've just mentioned in introducing the author. The whole review becomes questionable since the reviewer is evidently more into building their own personal narrative than doing their job: reviewing the damn book at hand. I'm left wondering if you discarded or overlooked review data that didn't fit your narrative.

Hate to get pedantic, but: Review the book. If favorable, point out flaws. If unfavorable, point out a few good points. While you're at it, indicate the target audience the book seems best suited for, such as artists, engineers, IT, suits, students, or as firestarter.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?