[NBLUG/talk] acceptable risk

Kendall Shaw kshaw at kendallshaw.com
Wed Nov 20 11:17:27 PST 2013


I do want to stay out of it as much as I can.But, for example, when I 
was hired, I was asked to sign an agreemen that I will not use any open 
source software or URLs... My main job function consists of extending 
some open source software. A IT liaison has stated details of a license 
agreement that would make the entire department that I am in a violation 
of the rules. So, I want to try to avoid the situation where weight is 
put behind impossible rules by contributing some suggestions. Part of my 
job overlaps with IT, so I will be a part of it to some extent.

Kendall

On 11/20/2013 09:18 AM, Steve S. wrote:
> I've got to agree with Mr. Blick:
>     "... not your job... stuck their neck out... not welcome... even if
> you... end up on the security team... you'll be frustrated ..."
> As he notes, security can be a "non-visible" thing (as can other areas
> of IT)... it can appear to the naive executive eye as an infinite
> black-hole of money-suck, which needs to be firmly reined-in (often to
> the degree that it's almost a pointless exercise to put ANY resources
> into...).
>
> The possible exceptions I see:
>   1. There's already been a serious security breach, and the company's
> reputation/clients/products/etc are at-risk; they HAVE to do this, and
> they have to do it RIGHT (not just pro-forma), probably because there
> will be external audit/scrutiny.
>   2. There's a REALLY ardent security-minded "organizational champion"
> -- someone with a LOT of clout (probably bearing a title like
> "Director" or "VP" or the like) -- pushing this as their top (or one
> of the top-3) priority-items, and not willing to settle for
> half-assed.
>
>
> Best of luck!
>
> On Wed, Nov 20, 2013 at 9:03 AM, Bob Blick <bobblick at ftml.net> wrote:
>> On Wed, Nov 20, 2013, at 08:13 AM, Kendall Shaw wrote:
>>
>>> I am employed as a computer programmer. Security polices are being
>>> developed where I work. It is not my job to deal with the issue, but it
>>> is going to affect my ability to do work. One major concern that I have
>>> is that it doesn't appear to me that people understand the concept that
>>> you can never be 100% secure.
>>> Do you have any advice?
>> Hi Kendall,
>>
>> Just my two cents, I'd advise learning about the situation as much as
>> possible, but since you say it's not your job, I'd really advise keeping
>> out of the way. That's just me speaking from the standpoint of someone
>> who has stuck their neck out before. It's usually not welcome, and if
>> you like your job otherwise, keep it or else look for another job.
>> Because even if you try to help in a constructive way and end up on the
>> security team, most companies don't want to invest a lot of resources in
>> non-visible things, and you'll be frustrated when you are asked to help
>> develop a system they don't want to do right. Or maybe they are just not
>> super smart, in which case, look for another job anyway, because it's
>> much more fun working with smart people.
>>
>> Friendly regards, Bob
>>
>> --
>> http://www.fastmail.fm - The way an email service should be
>>
>> _______________________________________________
>> talk mailing list
>> talk at nblug.org
>> http://nblug.org/cgi-bin/mailman/listinfo/talk
>
>


-- 
Sorry, you must accept the license.



More information about the talk mailing list