tag:blogger.com,1999:blog-3711025027840462761.post8995526571546793180..comments2024-01-12T13:30:51.100-08:00Comments on IT Security: The view from here: Security ChallengeRobhttp://www.blogger.com/profile/09719635361996746834noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-3711025027840462761.post-60137076643312436132007-05-26T06:36:00.001-07:002007-05-26T06:36:00.001-07:00Oh, and no, I'm not on Mike's payroll.Yet...Oh, and no, I'm not on Mike's payroll.<BR/><BR/><BR/>Yet...Robhttps://www.blogger.com/profile/09719635361996746834noreply@blogger.comtag:blogger.com,1999:blog-3711025027840462761.post-87095946021384729162007-05-26T06:36:00.000-07:002007-05-26T06:36:00.000-07:00Mike Rothman has linked to this post to say how cl...Mike Rothman has linked to this post to say how close this survey is to the intro of his book. <BR/>There's a reason for this. Mike's book is based on real life, and can only have been written by someone who's experienced it. <BR/>I carry it with me on a daily basis, it is like a bible for security folks. If everyone else in ISC2 did, maybe it would look a little different?<BR/>Andrew, if you don't have a copy yet, I advise you to invest (charge it to the company of course). It is fresh, interesting and will galvanise your approach even more.<BR/>I've said before that Mike isn't teaching you anything new, but what he is doing is telling you the right way to do what you already know. Galvanising is a good word.Robhttps://www.blogger.com/profile/09719635361996746834noreply@blogger.comtag:blogger.com,1999:blog-3711025027840462761.post-46679987351124980722007-05-25T05:52:00.000-07:002007-05-25T05:52:00.000-07:00Thanks for sending this to me as it has galvanised...Thanks for sending this to me as it has galvanised my approach somewhat. <BR/><BR/>Regarding my first comment you quote, I have been considering different approaches recently and trying some out. Some have made ground and I will blog about that at some stage. The interesting thing is, having tried the "get management buy-in at the highest level" approach as all good InfoSec publications advise, nothing happened. Nada. Zip. The Directors nodded and murmured agreement and then forgot about everything once they left the board room.<BR/><BR/>I'm still persevering with that but have also started attacking the lower orders with more success. It strikes me that your average employee does want to improve the InfoSec environment but doesn’t get told to. If you include them in discussions they are normally eager to assist. The issues arise when they need to allocate time from their busy schedule to do the work and that is where the management buy-in is required.<BR/><BR/>That said, if your average manager gets inundated with requests from their own staff to work on similar issues, they will normally agree to allocate some time. It only gets tricky when the time requirement gets to the stage where it is impacting day to day operations. However, by that time, hopefully, enough managers are getting requests for time that it gets discussed higher up.<BR/><BR/>When that happens, the law of “volume control” starts working and the director level types get hassle from more than just that irritating InfoSec guy who’s always telling us how bad things are.<BR/><BR/>Will this work in reality? Who knows, but it has to be worth a try!!Andrew Masonhttps://www.blogger.com/profile/13400572213465734164noreply@blogger.com