Born and bred in IT – and first influenced by global Oil & Gas, the Japanese and the German manufacturing industry – I never experienced excessive levels of management before entering the more anglophile international workspace outside my home country.
At best, between me and the board were only two clear structured formal management levels. Ranks and titles did not mean much; the assignment you received came with clear objectives, authority and no regards to your rank.
One day, you may have reported to your team leader, and the next day, with a new assignment, you might have reported to the CEO. You’d better be good and know what you are doing. Leadership skills and the ability of unbiased communication were necessary, even if one had no formal rank. The leaders were listening, and every bit of expertise was most welcome.
Fast forward to the present day…
When it comes to the matter of cyber security and the assessment of risk, it doesn’t seems to work in the same way everywhere.
I remember rushing to the head of security (CISO) at some bank and telling him that one critical shell binary (called cmd.exe) across his environment of hundreds of servers changes frequently. This CISO was only shrugging his shoulders, clearly signaling that he was not interested at all.
On another occasion, I attended a meeting with front-liners from some regional government. The tools in place were not used at all, and I asked how they had passed previous audits. Apparently, the auditors brought in by the government looked at the paperwork, saw that tool from xyz-company was in place, and ticked the box.
Needles to say, this exact organization had since been visited twice by unfriendly hackers – having collected an undisclosed amount of credit cards.
Once (Read more...)
This is a Security Bloggers Network syndicated blog post. Read the original at: The State of Security 2017-11-05.