[LINK] a little light diversion
stephen at melbpc.org.au
stephen at melbpc.org.au
Sat Aug 11 15:52:06 AEST 2007
At 03:34 PM 11/08/2007, Roger Clarke wrote:
> Ten Things Your IT Department Won't Tell You
> The Wall Street Journal .. By VAUHINI VARA July 30, 2007;
> <http://online.wsj.com/article_email/SB118539543272477927-
> lMyQjAxMDE3ODM1MDMzOTA1Wj.html>
>
> With even the WSJ offering 'advice' that invites a whole host
> of insecurities (Google Desktop, for heaven's sake!!??), what
> chance is there of small business or consumers avoiding the pitfalls??
True enough, Roger, one agrees in principle .. but, others say ...
Stop complaining and shut the door!
By Frank Hayes on Fri, 08/10/2007 - 2:54pm
<http://www.computerworld.com/blogs/node/6013>
I didn't see this Wall Street Journal article, "Ten Things Your IT
Department Won't Tell You," when it appeared at the beginning of last
week. The piece was a tip sheet for how employees can get around corporate
IT policies, and it seems to have stirred up great fury in some quarters --
I understand why the security people are unhappy with the WSJ for
publishing this piece.
But the security people should understand that, on this one, they're dead
wrong.
Not a little wrong -- completely, 100% wrong.
And I'm really appalled to think that serious security professionals
believe what the WSJ published was a bunch of deep, dark secrets to
corporate users.
Users know this stuff already! They don't have to read an article in the
WSJ to learn about it. They have departmental power users who have been
diving through the holes in their company's IT security for years. The Web
and print magazines are full of information on everything that was in the
WSJ article. And everybody's brother-in-law is full of misinformation
about how there's really nothing wrong with it.
This isn't even a case of depending on "security through obscurity." It's
not obscure! The idea that this is new information to users falls under
the category of "security through wishful thinking."
Was the WSJ wrong, irresponsible and evil to publish the article? Hogwash.
They revealed nothing.
But they did do every corporate IT security pro a huge favor.
It's not too late to dig up the Monday, July 30, issue of the paper.
Photocopy the article. Take it to your boss, and recite the following
speech:
"We must now assume that every user can do these things.
"I need your sponsorship and the budget and resources necessary to close
these 10 security holes in our systems.
"And I need them now, because users have had this article for two weeks."
Face it, if you just e-mailed that boss a list of those same stupidly
dangerous user tricks, you'd get no action. You'd likely get nothing if
you sent a copy of an article with the same information that appeared in
Computerworld or CSO or any other infosec trade pub.
But the Wall Street Journal? That's something that will get respect all
the way up the chain.
Quit whining. Use the opportunity this presents.
And for petesake stop assuming your users are stupid. Your worst enemies?
Maybe. Grossly misinformed and undereducated and uncooperative when it
comes to security? Probably. But not stupid. That stopped being a secure
assumption a long time ago.
Filed under : IT Management | Security
Frank Hayes's blog
--
Message sent using MelbPC WebMail Server
More information about the Link
mailing list