zlacker

[parent] [thread] 7 comments
1. btbuil+(OP)[view] [source] 2024-09-16 12:45:16
> Lawyers finding problems and trying to stop things from happening instead of finding solutions. Security blocking things and not suggesting alternatives. IT blocking this or that instead of trying solve problems, etc.

I think these are clear signs of a dysfunctional organization. I want to associate that with company size (larger -> more bureaucratic, counter-mission nonsense), but I've also seen large companies that don't get caught in these pitfalls. My best guess to lay blame would be at inadequate, out of touch, need-to-be-fired B.o.D and upper and mid-management deadwood. These are the people that propagate such ineffective culture.

I will forever remember the head of IT at my org exclaiming in a meeting, "I'm not here to solve problems". Blew my mind at the time, but it's emblematic and representative of company culture as a whole.

replies(2): >>twojob+Xq >>__turb+7i1
2. twojob+Xq[view] [source] 2024-09-16 15:41:19
>>btbuil+(OP)
TBF there are orgs at companies whose sole role is to play DEFENSE - lawyers, CSO etc… if they deem something too risky it IS their job to block it, and then it’s up to upper management to override them if the situation calls for it.

Now that said they should still try to advance the mission within that framework, and not be lazy.

replies(1): >>fishpe+Bw
◧◩
3. fishpe+Bw[view] [source] [discussion] 2024-09-16 16:09:07
>>twojob+Xq
The most secure company is, of course, the company that doesn't exist. Bankrupting your org is certainly the most effective way to keep it secure.

Yes, their role is defense, but not insofar as to remove the profitability of the organization. In several orgs now I've seen the legal team blow contracts and the security team break the product and the IT team break development in the name of performing their role "correctly".

Brainless box checking is not part of defense, you must be willing to critically think about how to fit your role to your product or organization's profit motive.

replies(4): >>Hacktr+eN >>btbuil+kP >>ngneer+NW >>herald+9xa
◧◩◪
4. Hacktr+eN[view] [source] [discussion] 2024-09-16 17:45:45
>>fishpe+Bw
Not disagreeing with you, can you give and explain one of the examples where you have seen this?
◧◩◪
5. btbuil+kP[view] [source] [discussion] 2024-09-16 17:57:40
>>fishpe+Bw
Reminds me of the "most secure computer is the one encased in a block of concrete at the bottom of the ocean".
◧◩◪
6. ngneer+NW[view] [source] [discussion] 2024-09-16 18:42:29
>>fishpe+Bw
There is a natural tension between these equally important roles, especially when folks choose to view competing objectives as a zero sum game. I think your point of view is one-sided.
7. __turb+7i1[view] [source] 2024-09-16 20:30:18
>>btbuil+(OP)
I see this all the time. Organizations which are solely dedicated to stop things from happening instead of allowing things to happen.

One example is a disaster readiness organization which mandates that teams cannot deploy code in only a single datacenter. What they should really be doing is making it so code automatically runs in multiple datacenters.

Facilitate instead of forbid.

◧◩◪
8. herald+9xa[view] [source] [discussion] 2024-09-19 20:20:18
>>fishpe+Bw
>the IT team break development in the name of performing their role "correctly".

Your daily driver account should not be local admin.

Yes, we need MS Defender/S1/Crowdstrike for EDR, DNS blocking and Mandatory updates etc for security which now is actual money with cyberinsurance that won't pay unless we fulfil certain criteria. This all requires computers to be managed by an MDM.

Take it up with teh bossman.

[go to top]